Setup mail server in Docker with FreeIPA and Roundcube

I try to setup my own mail server with authentication against a Ldap(FreeIPA). All of them must running within a docker container. I don't know what I'm doing wrong. Maybe it's my ldap configuration.

version: '3.9'

services:
  freeipa:
    image: freeipa/freeipa-server:centos-9-stream-4.10.0
    container_name: ipa
    restart: unless-stopped
    tty: true
    stdin_open: true
    hostname: ipa
    domainname: ipa.example.local
    #read_only: true
    networks:
      priv_network:
        ipv4_address: 172.16.1.10
    extra_hosts:
      - "ipa.example.local:172.16.1.10"
    environment:
      - IPA_SERVER_HOSTNAME=ipa.example.local
      - IPA_SERVER_IP=172.16.1.10
      - TZ=Europe/Berlin
    command:
      - --realm=example.local
      - --domain=example.local
      - --ds-password=secret123
      - --admin-password=secret123
      - --no-host-dns
      - --setup-dns
      - --auto-forwarders
      - --allow-zone-overlap
      - --no-dnssec-validation
      - --unattended
      - --skip-mem-check
      - --auto-forwarders
      - --auto-reverse
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0
    volumes:
      - ./vol/freeipa/data:/data
      - ./vol/freeipa/logs:/var/logs
      - ./vol/freeipa/config:/root/pw-portal/config
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    tmpfs:
      - /run
      - /var/cache
      - /tmp
    cap_add:
      - SYS_TIME
      - NET_ADMIN
    ports:
      - 443:443
      - 389:389

  roundcubemail:
    image: roundcube/roundcubemail:latest
    container_name: roundcubemail
    volumes:
      - ./vol/roundcube/www:/var/www/html
      - ./vol/roundcube/db/sqlite:/var/roundcube/db
    ports:
      - 9002:80
    environment:
      - ROUNDCUBEMAIL_DB_TYPE=sqlite
      - ROUNDCUBEMAIL_SKIN=elastic
      - ROUNDCUBEMAIL_DEFAULT_HOST=tls://172.16.1.11
      - ROUNDCUBEMAIL_SMTP_SERVER=tls://172.16.1.11
    networks:
      priv_network:

  mailserver:
    image: docker.io/mailserver/docker-mailserver:latest
    container_name: mailserver
    hostname: mail
    domainname: mail.example.local
    restart: unless-stopped
    volumes:
      - ./vol/mailserver/data/:/var/mail/
      - ./vol/mailserver/state/:/var/mail-state/
      - ./vol/mailserver/logs/:/var/log/mail/
      - ./vol/mailserver/config/:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro

    environment:
      - ENABLE_SPAMASSASSIN=0
      - ENABLE_CLAMAV=0
      - ENABLE_FAIL2BAN=0
      - ENABLE_POSTGREY=0
      - ACCOUNT_PROVISIONER=LDAP
      - LDAP_SERVER_HOST=ldap://ipa
      - LDAP_BIND_DN=uid=admin,cn=users,cn=accounts,dc=example,dc=local
      - LDAP_BIND_PW=secret123
      - LDAP_SEARCH_BASE=cn=users,cn=accounts,dc=example,dc=local
      - LDAP_QUERY_FILTER_DOMAIN=(mail=*@%s)
      - LDAP_QUERY_FILTER_USER=(mail=%U@%s)
      - LDAP_QUERY_FILTER_ALIAS=(|) # doesn't match anything
      - LDAP_QUERY_FILTER_GROUP=(|) # doesn't match anything
      - LDAP_QUERY_FILTER_SENDERS=(mail=%s)      
      - SPOOF_PROTECTION=1
      - ENABLE_SASLAUTHD=1
      - SASLAUTHD_MECHANISMS=ldap
      - SASLAUTHD_LDAP_FILTER=(&(mail=%[email protected])(objectClass=inetOrgPerson))
      - ONE_DIR=1
      - PERMIT_DOCKER=host
      - DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(mail=%u))
      - DOVECOT_PASS_ATTRS==password=%{ldap:userPassword},=user=%{ldap:uid}
      - DOVECOT_USER_ATTRS==home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid
    cap_add:
      - NET_ADMIN
    networks:
      priv_network:
        ipv4_address: 172.16.1.11

networks:
  priv_network:
    name: ext_priv_network
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.16.1.0/24
          gateway: 172.16.1.1

I created an user and logged into IPA for the first time to set password. If I try to login into my Roundcube then I get just a login failure. The Mail Server printed the following message.

Dec 25 08:59:52 mail dovecot: auth: ldap(test.user,172.16.1.2,<m+/uPaPw4pasEAEC>): unknown user (SHA1 of given password: f2b14f)
Dec 25 08:59:54 mail dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<test.user>, method=PLAIN, rip=172.16.1.2, lip=172.16.1.11, session=<m+/uPaPw4pasEAEC>
Dec 25 09:00:39 mail postfix/pickup[1906]: 517F864B0E: uid=101 from=<root>
Dec 25 09:00:39 mail postfix/cleanup[1910]: 517F864B0E: message-id=<[email protected]>
Dec 25 09:00:39 mail postfix/cleanup[1910]: warning: dict_ldap_lookup: Search error 2: Protocol error 
Dec 25 09:00:39 mail postfix/cleanup[1910]: warning: ldap:/etc/postfix/ldap-aliases.cf lookup error for "[email protected]"
Dec 25 09:00:39 mail postfix/cleanup[1910]: warning: 517F864B0E: virtual_alias_maps map lookup problem for [email protected] -- message not accepted, try again later
Dec 25 09:00:39 mail postfix/pickup[1906]: 5228D64B0E: uid=0 from=<root>
Dec 25 09:00:39 mail postfix/cleanup[1923]: 5228D64B0E: message-id=<[email protected]>
Dec 25 09:00:39 mail postfix/cleanup[1923]: warning: dict_ldap_lookup: Search error 2: Protocol error 
Dec 25 09:00:39 mail postfix/cleanup[1923]: warning: ldap:/etc/postfix/ldap-aliases.cf lookup error for "[email protected]"

What's the correct LDAP Syntax for Dovecot DOVECOT_USER_FILTER, DOVECOT_PASS_ATTRS and DOVECOT_USER_ATTRS?