It appears that LdapGroups has been accidently coded such that all members must come from the BaseDN instead of either the BaseDN or the AltBaseDN. I have attached a patch that I believe fixes this. Hope it helps.
Filed in Jira for consideration:
Thank you very much.
People on this thread http://www.igniterealtime.org/community/message/192057#192057 are having troubles with Openfire 3.6.4 and LDAP. They say everything was fine with 3.6.3. And the only LDAP related fix looks to be yours. JM-1516. Maybe this should be investigated.