I set up LDAP access with postfix.

ldapsearch -D "cn=postfix,ou=users,ou=system,[domain]" -w postfix -b "ou=users,ou=people,[domain]" -s sub "(&(objectclass=inetOrgPerson)(mail=[mailaddr]))"

delivers the correct entry. The LDAP config file looks like

root@server2:/etc/postfix/ldap# cat mailbox_maps.cf 
server_host = localhost
search_base = ou=users,ou=people,[domain]
scope = sub
bind = yes
bind_dn = cn=postfix,ou=users,ou=system,[domain]
bind_pw = postfix
query_filter = (&(objectclass=inetOrgPerson)(mail=%s))
result_attribute = uid
debug_level = 2

The bind_dn and bind_pw should be the same as I used above with ldapsearch. Nevertheless, calling postmap doesn't work:

root@server2:/etc/postfix/ldap# postmap -q [mailaddr] ldap:/etc/postfix/ldap/mailbox_maps.cf
postmap: warning: dict_ldap_lookup: /etc/postfix/ldap/mailbox_maps.cf: Search base 'ou=users,ou=people,[domain]' not found: 32: No such object

If I change LDAP configuration, so that anonymous users have complete access to LDAP

olcAccess: {-1}to * by * read

then it works:

root@server2:/etc/postfix/ldap# postmap -q [mailaddr] ldap:/etc/postfix/ldap/mailbox_maps.cf 
[user-id]

But when I restrict this access to the postfix user:

olcAccess: {-1}to * by dn="cn=postfix,ou=users,ou=system,[domain]" read by * break

it doesn't work but produces the error printed above (although ldapsearch works, only postmap doesn't).

Why doesn't it work when binding with a postfix DN? I think I set up the LDAP ACL for the postfix user correctly, as the ldapsearch command should prove. What can be the reason for this behaviour?