I know for Openfire 3.6.0, you can open up the Openfire Admin console, and change the OU which Openfire looks at for users from the Server Tab, in either the Server Manager section under System Properties, or Server Settings, under Profile Settings.
If you are using openfire 3.6.0 you can adjust this under the Server > Server Manager > System Properties. There is a property value for the ldap alternate base dn. It worked for me to point the base DN at the users container and the alternate base dn at the groups container.
Alternatively, you can point the base DN at a place in the ldap tree that contains both the users and groups, and use a clever set of filters to pick out only the users and groups you want.
Looks like you may be having trouble with the ldap filter. I would recommend doing some internet research (google) for ldap filter syntax to see what you want. Without looking at your ldap directory I would have no idea what to recommend as a filter.