This is Active Directory?

I use openldap with another filters and syntax

Yes, we use AD, but the concept is most likely similar. Your users should have an LDAP attribute in the user object that says what groups they are a member of. So, you only want to pull in users that are a member of your wiki group. You can ignore the "userAccountControl:1.2.840.113556.1.4.803:=2" part. I was just explaining why that is in there. The relevant part would be the "memberOf=CN=confluence-users,OU=Path,OU=TO,OU=Group,DC=company,DC=dom" at the end of the query.

Ah, I just read above that you don't have memberOf. If you want to do what you are specifically asking you would need to enable memberOf. There is no way to do it without that. That is the only way to only import a subset of users based on a group membership. However, like @Andrew Laden mentioned you could import all of them and just not give some of them the "can use" permission. The down side of that is that you will have a bunch of people in the people directory that can't actually use the system. That may or may not be an issue for you, but it is something to keep in mind.

i don't have attribute memberof and do not want add this attribute to my openldap server.

Okay, i understand for what group object filter - i do not use it. I use only internal groups. I want to use from ldap only users, not groups.

i have only "memberUid" attribute in ldap group "wiki"

for example

in group "wiki":

memberUid : user1

memberUid : user2

memberUid : user3

and i want to write a filter, which can login users only from ldap group "wiki"

something like

(&(objectClass=posixGroup)(cn=wiki)(memberUid=%s))

but it's don't work :(

As I mentioned, then Group Object filer is used to limit what groups are imported into the user server on your confluence instance, it doesn't have anything to do with what users are imported.

This is really more an ldap question, not at jira question. You need to figure out an LDAP query that returns just the list of users you want to have imported to the user server

A quick search turned up these articles on how to enable "memberOf" in openldap

https://www.adimian.com/blog/2014/10/how-to-enable-memberof-using-openldap/

https://tylersguides.com/guides/openldap-memberof-overlay/

https://www.openldap.org/doc/admin24/overlays.html

As I said though, none of this is technically necessary. Confluence can happily have an entry for every user in your ldap, and you can still limit who can access confluence by only granting the "Can Use" permission to your wiki group. You will have to grant that permission to some group anyway, why not use that one.

When i delete user from group "wiki" in ldap, user anyway able to auth in confluence. Why?

There is a delay, the sync with ldap only runs periodically. If you want it to take effect immediately, you have to select "synchronize" for you directory entry from the "User Directories" page.

Who else has the "Can use" global permission?

in confluence have internal groups (such as "team", "confluence-users") - these groups have "can use"

But my deleted user only in group "wiki"

So if you look up the user in the confluence list users page 

https://YOURCONFLUENCESERVER/admin/users/viewuser.action?username=USERNAME

You confirmed that he is not a member of any group that has "Can Use" rights, and he still can log in?