I think that I found a problem.
If user is member of 2-3 groups everything works good, but when user belongs to many groups does not receive role (sadmin). So I have to define "CONEX LDAP CHECK DEFAULT ROLE" and problem disappear. It's not a solution but workaround.
I've added two types login (local and ldap). First for sadmin and second for admin.