Oh the joy and the pain of this….
After a very long time I have now got this working how I want it but it was painful getting the right runes to make the two play nicely.
What I wanted:

To have a group in AD that could access and authenticate to Openfire
To have a groups in Openfire [...]