[Dovecot] dovecot-ldap : can't find user in OU subtree

[me]

Hi all,

Well, I've compiled and installed dovecot 2.2.6 with following options:
./configure --prefix=/usr/ --sysconfdir=/etc/ --with-mysql 
--libexecdir=/usr/lib/ --localstatedir=/var 
--with-moduledir=/usr/lib/dovecot/modules --disable-rpath 
--disable-static --with-zlib --with-bzlib --with-solr --with-ldap 
--with-gssapi --with-nss

doveconf -n:
# 2.2.6: /etc/dovecot/dovecot.conf
# OS: Linux 3.8.0-32-generic x86_64 Ubuntu 12.04.3 LTS ext4
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
first_valid_gid = 20001
first_valid_uid = 20001
log_timestamp = %Y-%m-%d %H:%M:%S
mail_debug = yes
mail_gid = 20001
mail_home = /media/data/email/%n
mail_location = maildir:/media/data/email/%n/mail
mail_plugins = fts fts_solr acl zlib mail_log notify
mail_uid = 20001
managesieve_notify_capability = mailto
managesieve_sieve_capability = comparator-i;octet 
comparator-i;ascii-casemap fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex 
imap4flags copy include variables body enotify environment mailbox 
date spamtest spamtestplus virustest
namespace {
  list = no
  location = 
maildir:/media/data/email/%%n/mail:INDEX=/media/data/email/%n/mail/shared/%%n
  prefix = shared/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location = maildir:/media/data/email/%n/mail
  mailbox Sent {
    auto = subscribe
  }
  mailbox Spam {
    auto = subscribe
  }
  mailbox SpamFalse {
    auto = subscribe
  }
  mailbox SpamToLearn {
    auto = subscribe
  }
  prefix =
  separator = /
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
  driver = ldap
}
plugin {
  acl = vfile
  mail_log_events = delete undelete expunge copy mailbox_delete 
mailbox_rename save mailbox_create
  mail_log_fields = uid box msgid size
  sieve = /media/data/email/%n/dovecot.sieve
  sieve_after = /media/data/email/sieve/global.sieve
  sieve_dir = /media/data/email/%n/sieve
  zlib_save = bz2
  zlib_save_level = 9
}
protocols = imap pop3 sieve lmtp
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-master {
    group = vmail
    mode = 0660
    user = vmail
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0640
    user = vmail
  }
}
service imap-login {
  inet_listener imap {
    address = *
    port = 143
  }
  inet_listener imaps {
    address = *
    port = 993
    ssl = yes
  }
  process_limit = 256
}
service lmtp {
  inet_listener lmtp {
    address = *
    port = 24
  }
  user = vmail
}
service managesieve-login {
  inet_listener sieve {
    address = *
    port = 4190
  }
  process_limit = 256
  vsz_limit = 64 M
}
service pop3-login {
  inet_listener pop3 {
    address = *
    port = 110
  }
  inet_listener pop3s {
    address = *
    port = 995
    ssl = yes
  }
}
ssl = required
ssl_ca = </etc/postfix/tls/cacert.pem
ssl_cert = </etc/postfix/tls/radiodjiido-cert.pem
ssl_key = </etc/postfix/tls/radiodjiido-key.pem
ssl_verify_client_cert = yes
userdb {
  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
  driver = ldap
}
protocol imap {
  imap_client_workarounds = delay-newmail
  imap_max_line_length = 64 k
  mail_max_userip_connections = 20
  mail_plugins = acl imap_acl mail_log notify zlib
}
protocol pop3 {
  mail_plugins = zlib mail_log notify
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}
protocol sieve {
  managesieve_logout_format = bytes ( in=%i : out=%o )
}
protocol lda {
  info_log_path =
  log_path =
  mail_plugins = sieve zlib mail_log notify
  quota_full_tempfail = yes
  syslog_facility = mail
}
protocol lmtp {
  info_log_path =
  log_path =
  mail_plugins = sieve fts zlib mail_log notify
  quota_full_tempfail = yes
}

/etc/dovecot/dovecot-ldap-passdb.conf.ext:
hosts = localhost
auth_bind = yes
auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan
ldap_version = 3
base = ou=users,dc=domain,dc=lan
scope = subtree
pass_filter = (&(objectClass=person)(cn=%u)(mail=*))

/etc/dovecot/dovecot-ldap-userdb.conf.ext:
hosts = localhost
dn = cn=ldap,cn=Users,DC=domain,DC=lan
dnpass = My_secret_pass
ldap_version = 3
base = OU=users,DC=domain,DC=lan
scope = subtree
user_attrs = uid=20001, gid=20001, home=/media/data/email/%n, 
mail=/media/data/email/%n/mail
user_filter = (&(objectClass=person)(cn=%n)(mail=*))
iterate_attrs = cn=user
iterate_filter = (objectClass=person)

All seems to work as expected up-to-now, but :
If I move a user from OU 'users' to a sub-OU 'administrative' on Active 
Directory :
-> The user can't login anymore to Dovecot
I have added the "scope = subtree" to the userdb and passdb files but it 
doesn't change anything.

Here is the debug part when user test3 (located in ou=users, 
ou=administrative) tries to login:
Oct 30 18:49:12 serveur dovecot: auth: Debug: auth client connected 
(pid=4292)
Oct 30 18:49:12 serveur dovecot: auth: Debug: client in: 
AUTH#0111#011PLAIN#011service=imap#011secured#011session=L6uskfDpKwAKChTQ#011lip=10.10.20.1#011rip=10.10.20.208#011lport=993#011rport=54827
Oct 30 18:49:12 serveur dovecot: auth: Debug: client passdb out: 
CONT#0111#011
Oct 30 18:49:12 serveur dovecot: auth: Debug: client in: CONT<hidden>
Oct 30 18:49:12 serveur dovecot: auth: 
ldap(test3,10.10.20.208,<L6uskfDpKwAKChTQ>): invalid credentials
Oct 30 18:49:14 serveur dovecot: auth: Debug: client passdb out: 
FAIL#0111#011user=test3

As soon as I move user 'test3' back to ou=users, it can login ...
Oct 30 18:53:57 serveur dovecot: auth: Debug: Loading modules from 
directory: /usr/lib/dovecot/modules/auth
Oct 30 18:53:57 serveur dovecot: auth: Debug: Read auth token secret 
from /var/run/dovecot/auth-token-secret.dat
Oct 30 18:53:57 serveur dovecot: auth: Debug: auth client connected 
(pid=4303)
Oct 30 18:53:57 serveur dovecot: auth: Debug: client in: 
AUTH#0111#011PLAIN#011service=imap#011secured#011session=h+ypovDpUAAKChTQ#011lip=10.10.20.1#011rip=10.10.20.208#011lport=993#011rport=54864
Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: 
CONT#0111#011
Oct 30 18:53:57 serveur dovecot: auth: Debug: client in: CONT<hidden>
Oct 30 18:53:57 serveur dovecot: auth: Debug: client passdb out: 
OK#0111#011user=test3


Thanks in advance for your time and lights.
Nicolas