Django AUTH_LDAP_GROUP_SEARCH ObjectClass values from none to overkill

Question

I have lil bit problem with my LDAP groups.

i have:

AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion(
    LDAPSearch("OU=U3,OU=UserGroups,OU=U1,OU=CompanyUsers,DC=ad,DC=net", ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)"),
    LDAPSearch("OU=Apps,OU=Security Groups,OU=Groups,OU=B2,OU=Tenants,DC=ad,DC=net", ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)"))
...
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_REQUIRE_GROUP = (
        LDAPGroupQuery("CN=ENGINEER,OU=U3,OU=UserGroups,OU=U1,OU=CompanyUsers,DC=ad,DC=net")
        | LDAPGroupQuery("CN=READER,OU=U3,OU=UserGroups,OU=U1,OU=CompanyUsers,DC=ad,DC=net")
        | LDAPGroupQuery("CN=ADMIN,OU=Apps,OU=Security Groups,OU=Groups,OU=B2,OU=Tenants,DC=ad,DC=net"))

AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn", "email": "mail"}

I can login via LDAP user but it does not populating my groups (in admin view), when i add manually user to group, then every new login of this member it gets group is not assigned anymore.
Now when i change code to:

AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion(
    LDAPSearch("OU=U3,OU=UserGroups,OU=U1,OU=CompanyUsers,DC=ad,DC=net", ldap.SCOPE_SUBTREE, "(objectClass=group)"),
    LDAPSearch("OU=Apps,OU=Security Groups,OU=Groups,OU=B2,OU=Tenants,DC=ad,DC=net", ldap.SCOPE_SUBTREE, "(objectClass=group)"))
...
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_REQUIRE_GROUP = (
        LDAPGroupQuery("CN=ENGINEER,OU=U3,OU=UserGroups,OU=U1,OU=CompanyUsers,DC=ad,DC=net")
        | LDAPGroupQuery("CN=READER,OU=U3,OU=UserGroups,OU=U1,OU=CompanyUsers,DC=ad,DC=net")
        | LDAPGroupQuery("CN=ADMIN,OU=Apps,OU=Security Groups,OU=Groups,OU=B2,OU=Tenants,DC=ad,DC=net"))

AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn", "email": "mail"}

It populates my groups with ALL groups in LDAP where member exists, we don;t want to do that, we only need to consider those 3 mentioned groups.
Tried also with objectClass=top and it also populate with all LDAP groups that user has assigned.
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="CN") changes nothing in both cases
We need to populate django with only those 3 groups. Needed effect is, group assignment in django is persistent, not cleared every login of user.

Answer 1

I have managed it by adding specified CN to AUTH_LDAP_GROUP_SEARCH:

AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion(
    LDAPSearch("CN=ENGINEER,OU=U3,OU=UserGroups,OU=U1,OU=CompanyUsers,DC=ad,DC=net", ldap.SCOPE_SUBTREE, "(objectClass=group)"),
    LDAPSearch("CN=READER,OU=U3,OU=UserGroups,OU=U1,OU=CompanyUsers,DC=ad,DC=net", ldap.SCOPE_SUBTREE, "(objectClass=group)"),
    LDAPSearch("CN=ADMIN,OU=Apps,OU=Security Groups,OU=Groups,OU=B2,OU=Tenants,DC=ad,DC=net", ldap.SCOPE_SUBTREE, "(objectClass=group)"))