postfix

Why does Postfix look for users from the root of the domain, while Dovecot does not, when authorizing through Win2008 AD?

Welcome all!
There was a problem with authorization from AD.
We have AD. Domain kontora.com Domain
users who will use mail are in different groups and units, as it was originally.
And so the problem turns out such, I configure postfix for authorization through HELL. I create a connection file: /etc/postfix/ad_sender_login_maps.cf

server_host     = kontora.com
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail
bind_pw         = password_of_vmail
search_base     = dc=kontora,dc=com
scope           = sub
query_filter    = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute= userPrincipalName
debuglevel      = 0

Testing:
postmap -q [email protected] ldap:/etc/postfix/ad_sender_login_maps.cf Getting
response:
[email protected]
user1 is in the "Department 1" unit in the root of the kontora.com domain
Testing:
postmap -q [email protected] .com ldap:/etc/postfix/ad_sender_login_maps.cf
I get the answer:
[email protected]
user2 is in the "Department 2" unit in the root of the kontora.com domain
I specify: user1 and user2 are in different units relative to the domain root and postfix when searching the user starts looking for it from the root of the domain, sorting through all the units.
And now I ran into a problem that dovecot is not looking for users from the root of the domain, but only from one unit.
Those. I create a connection file: /etc/dovecot/dovecot-ldap.conf

hosts           = kontora.com:389
ldap_version    = 3
auth_bind       = yes
dn              = vmail
dnpass          = passwd_of_vmail
base            = dc=kontora,dc=com
scope           = subtree
deref           = never
user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/

I try to be connected to a box by the client and there is an otlup. Those. user cannot be found.
But it's only worth fixing the connection string from
base = dc=kontora,dc=com
to
base = ou=Department 1,dc=kontora,dc=com
and provided that, for example, user1 will be in the Department 1 unit, then dovecot will perform normal authorization .
So the question is why postfix normally searches for users across the entire domain from its root, and dovecot starts searching only if users are in a unit. How to force dovecot to search users from the root of the domain?
Or at least do a search in the group to which mail users will be attached, because. this also failed to materialize.