DEFAULT_USER_IS_RESTRICTED not working with LDAP-Auth?

In my app.ini i configured

[service]
DEFAULT_USER_IS_RESTRICTED = true
DEFAULT_ALLOW_CREATE_ORGANIZATION = false

Authentification is done by LDAP. So if an new User logs in for the first time, a gitea-user is created, but he has not restricted rights. The DEFAULT_ALLOW_CREATE_ORGANIZATION does work as expected (new users can not create organisations). So what am i doing wrong, or what do i not understand?

You are doing everything correctly, it appears that DEFAULT_USER_IS_RESTRICTED only applies when a user is signing up through the signup page and does not get applied when a user is created by the LDAP system. You should file a bug on GitHub for this: Issues · go-gitea/gitea · GitHub