Thanks, but I've already followed that document. I found the ldap debug options and set both of them to true (not sure why there's 2... ldap.ldapDebugEnabled and ldap.debugEnabled). I can now see the request sent to and received from in the nohup.log (/opt/openfire/logs). It seems like as soon as I use any memberOf filter Openfire just stops the normal communication chain with LDAP.
In my slapd access logs for my main freeIPA node I see a successful bind and search for my admin user and then it immediately unbinds. If I change the filter to anything not containing memberOf, authentication works and it runs 3 or 4 searches before unbinding.