I just answered another post with amost this same informaion. Let me know if this helps.
First, you should not be changing the base dn for searches. Leave the base dn as DC=host,DC=domain,DC=com
Now create a new domain group. Mines called SparkIM. Make the users and groups that you want openfire to see members of this “Control Group”.
Next, make sure the groups for roster sharing are correct and that no one is in more than one group. I had to create new groups specifically for the roster to make support a little bit easier, but using existing groups will work as well.
repace the CN=SparkIM… with the DN of the “Control Group”
Now you can control the roster and the ability to sign in by adding or deleting members from the “Control Group”. I named mine sparkim because we only use the spark client and the help desk doesn’t have a clue what openfire is (it makes my life a little easier, even though I know there are other clients out there).