LDAP user filter

Hello everyone.
I have a strong feeling that this can be done, but this does not work.
The point is this. I linked nextcloud to ldap, users who are allowed to log in are selected using the filter:
(& (objectCategory = person) (objectClass = user) (mail = *) (! (userAccountControl: 1.2.840.113556.1.4.803: = 2)) (| (memberOf=CN=blabla, CN=blabla, DC=blabla , DC=local) (memberOf=CN=blabla, CN=blabla, DC=blabla, DC=local)))
Therefore, system accounts do not get there.

I thought that these are all users that the nextcloud “can see”.
It turned out that if you select a user search in the upper right corner, then you can see all the users that were found in ad, including system ones, etc.:

I tried different options in the settings, shoved the filter in all places, and it did not work out to filter the users I needed, which should be displayed in the list.

It would be ideal to apply a filter to LDAP users who appear in the list, but I did not find how to do this, or it is impossible. Maybe someone faced a similar problem and tell me how to implement this?

You don’t need to link to all LDAP users, can just select a group or OU…
It is controlled by your “blabla” parameters

What is your Base DN?

This is exactly what I did, in BaseDN I entered the path to the OU I need, but anyway, the list displays the user outside of this OU

blabla this is exactly the OU that I need, but it is visible to all users of mydomain.local