I am using LDAP authentication with SSL-VPN on 4.0MR2. The way I have it, it' s a couple of steps:
1. In User->Remote->LDAP I query the OU, e.g., CN=Builtin,dc=example,dc=local
2. In User-User Group-User Group when you make the Firewall group to allow SSL-VPN access, you click Add for Remote authentication, select the LDAP server you created in step 1. Then there is a Group Name column which allows you to use a query to restrict access based on group membership. You use a Common Name Identifier to do so: e.g., cn=VPN Access Users,OU=Builtin,DC=example,DC=local.
Hope this helps. I barely understand LDAP but I know this works. I have two LDAP server entries configured to check a common VPN user group against two different OUs.
* The above example results in users logging in with their full name.