OK, we debugged the queries and filter and problem was at the begening. We had wrond objectClass in LDAP.
We used groupOfNames instead of PosixGroup which lead to partial function of the LDAP auth. Syncing groups works (from cron or refresh button) but dynamic refresh on login didn’t (because there is different LDAP query using memberUid which is possix attribute).
We changed LDAP group to posixGroup (which is in fact also in Foreman documentation) and it looks like everything works now.
For others with simmiliard problem, check LDAP group, it has to be posixGroup with memberUid attributes containing only login (uid) part of the user.
@Marek_Hulan thanks a lot for your time and consult