Greetings, The iteration machinery uses the LDAP search base set with the "base" directive (typically from dovecot-ldap.conf.ext); the same base used during nominal operations (e.g., passdb/userdb searches). Consider a directory: dc=ROOT |_ dc=foo,dc=com,dc=ROOT (foo.com subtree) |_ dc=bar,dc=net,dc=ROOT (bar.net subtree) A search base setting appropriate for mail operations might be: base = dc=%Dd,dc=ROOT # e.g. dc=foo,dc=com,dc=ROOT for user at foo.com This fails when iterating, as the variable substitution is meaningless in this context (and even a static subtree search base would only cover a portion of the overall directory during iterative searches). Setting the base to "dc=ROOT" obviously solves the issue at the expense of searching the entire directory for all operations. This is less than optimal. I could not find a way to override this setting at runtime via a doveadm option or similar. Ideally, a separate "iterate_base" setting would solve this issue. Any other solutions? Thanks, /taso