Error or incorrect configuration of the auth-ldap plugin?

I have installed the official auth-ldap plugin for authorization from Active Directory.
Users who are in the domain can log in to the Pertube instance without problems, while they become default Users.

Then I created 3 groups in Active Directory and changed the plugin settings

Group base
OU=PeerTube,OU=Groups,OU=Service Accounts,DC=domain,DC=local

Group filter
(objectCategory=Group)

Administrator group DN
CN=domain-sg-videoadmins,OU=PeerTube,OU=Groups,OU=Service Accounts,DC=domain,DC=local

Moderator group DN
CN=domain-sg-videomoderators,OU=PeerTube,OU=Groups,OU=Service Accounts,DC=domain,DC=local

User group DN
CN=domain-sg-videousers,OU=PeerTube,OU=Groups,OU=Service Accounts,DC=domain,DC=local

But any changes in user groups do not affect Peertube users in any way. I want to understand, is this a plugin error or is it my mistake?

I noticed one feature… If the user is a domain administrator, then when logging in to Peertube, he also becomes an instance administrator. At the same time, the user does not belong to AD groups at all:
domain-sg-videoadmins
domain-sg-videomoderators
domain-sg-videousers

Hello,

Roles are set when the user is created on peertube side (so first login). This setting won’t change user role of previously created users…

Very sorry. In this case, there is simply no point in groups. It would be nice to add the ability to synchronize groups… For example, when changing a group in AD, you can also change the group in Peertube. When using Peertube in a company, this will help a lot.

But I also don’t understand why any domain user can log in to Peertube, even if he is not a member of the AD group? What is the meaning of the group fields in the plugin?

This setting is just to assign a role. If the user in in unknown group, the plugin will assign the USER role.

I spent 1 day testing this plugin. I added users to different groups
domain-sg-videoadmins
domain-sg-videomoderators
domain-sg-videousers
But I didn’t notice any changes at all-(

I really want the groups in the plugin to work like this:

  1. In AD, the groups that I indicated above have been created.
  2. The Group base field, as well as the group fields in the plugin are filled in correctly
  3. If there are no users in AD groups, then no one can log in to Peertube.
  4. If you add a domain user to the domain-sg-videousers group, then the user can log in to Perturbed and he will have the User role.
  5. If you add a domain user to the domain-sg-videomoderators group, then the user can log in to Perturbed and he will have the Moderator role
  6. If you add a domain user to the domain-sg-videoadmin group, then the user can log in to Perturbed and he will have the Administrator role.
  7. If I add a user to another group, then his role has also changed in Peertube. The priority should always be the maximum role. For example, if the user is in 2 groups at the same time (domain-sg-videousers and also in the domain-sg-videomoderators group)