Yes, it works here. My findings were the following:
I was not able to do it with selfsigned certificate, thus nethserver ad nsdc container needs to be configured with a valid certificate with ad.yourdomain.com in it. So I use letsencrypt certificate. Opnsense needs to be able to ping ad.yourdomain.com. The opnsense query needs to be encrypted (port 636). And the base dn must be configured accordingly. For copying the certificate to opnsense I found a script. See comments of giacomo on how to implement it. I basically have made a certificate for sshing from nethserver holding the letsencrypt certificate to opnsense without password, then configured that certificates and this php script are copied (scp) to opnsense, then invoked the php script (also via ssh), and then deleted the script and the copied certificates from opnsense - everytime there is a new certificate, the above happens automatically. To trigger a copy everytime the certificate is renewed see giacomos post in this thread. Once the certificate is in place in opnsense and also in nsdc ad container, the only remaining thing is to get userdn, bind credentials and base-dn right depending on your domain setup. I had trouble understanding cn and ou. Once I got them right, everything worked as expected. For example when you edit your domain with rsat tools from within a windows client, and you create an ou MyUsers, thats ou= but the standard container users is cn=. The same goes with MyComputers =ou but standard container Computers =cn.
In my case, I always got an error message wrong credentials or unknown user in opnsense in the log located here in opnsense (sorry, but I have it in german): System/Protokolldateien/Allgemein, until I figured out, that while my normal domain users were transfered in ou=MyUsers, the user, which I created for ldapqueries remained in the standard “container” Users.
Thus the correct User DN in my case is:
cn=ldapusername, cn=Users (and not ou=MyUsers),dc=ad,dc=yourdomain,dc=com
I hope that helps.