tacacs+ldap+user in several groups

Question

Good day everyone. There is a tacacs server up on ubuntu with the following config:

id = spawnd {
        listen = { address = 0.0.0.0 port = 49 }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}

id = tac_plus {
        access log = /var/log/tac_plus/access/%Y%m%d.log
        accounting log = /var/log/tac_plus/acct/%Y%m%d.log

        mavis module = external {
                setenv LDAP_SERVER_TYPE = "microsoft"
                setenv LDAP_HOSTS = "ldaps://mydomain.local:636"
                setenv LDAP_SCOPE = sub
                setenv LDAP_BASE = "OU=User,OU=710,OU=Other,OU=RU,DC=mydomain,DC=local"
                setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
                setenv LDAP_USER = "ldap_user"
                setenv LDAP_PASSWD = "ldap_pass"
                setenv AD_GROUP_PREFIX = tacacs
                setenv REQUIRE_TACACS_GROUP_PREFIX = 1
               # setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
               # setenv EXPAND_AD_GROUP_MEMBERSHIP = 0
                setenv FLAG_USE_MEMBEROF = 1
                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }

        login backend = mavis
        user backend = mavis
        pap backend = mavis

        host = hyper {
                address = 10.12.4.0/23, 10.11.255.0/24
                welcome banner = "Welcome. Today is %A.\n"
                #enable 15 = clear secret
                key = "key1"
        }
        host = mini {
                address = 10.13.0.0/16
                welcome banner = "Welcome. Today is %A.\n"
                key = "key2"

        }

        acl = acl_hyper permit {
                nas = hyper
        }
        acl = acl_mini permit {
                nas = mini
        }

        group = swFull {
                message = "[netadmin full access]"
                acl = acl_hyper
                default service = permit
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }

        group = swRO {
                message = "[netadmin restricted access]"
                acl = acl_hyper
                default service = permit
                service = shell {
                        default command = deny
                        message deny = "You are not allowed to run this command '%c %a'"
                        set priv-lvl = 15
                        command = show { permit .* }

                        }
                }
        group = sw300Full {
                message = "[netadmin full access to cisco 300+ switches]"
                acl = acl_mini
                default service = permit
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }

        group = sw300RO {
                message = "[netadmin restricted access to cisco 300+ switches]"
                acl = acl_mini
                default service = permit
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 1
                }
        }


        }

As you can see from the config, there are 4 security groups in AD. swFull and swRO - used to access catalysts sw300Full and sw300RO - used for CBS series switches if one user is present in, for example, the swFull and sw300RO groups, then authorization on the 300+ series switches passes, but not on the catalysts. As if mavis module finds the first group returned by ldap and checks only for it

I tried various combinations with these commented lines, but it didn't work

setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1

setenv EXPAND_AD_GROUP_MEMBERSHIP = 0

Is it possible to somehow solve this problem?