Think of it as a folder structure, each ou is another folder under the previous … left to right. CN are containers, think of them as drive letters or mount points in a filesystem. The OU are folders in that filesystem under the container.
What the groupdn is asking for, is which folder should I search for the user that is trying to authenticate. The groupFilter is telling the auth system what value to search for the username.
Normally in LDAP it’s whatever you have choosen, but ActiveDirectory has a specific search k/v for the username called sAMAccountName and that’s the attribute of the user that tells AD what the account name is.