you have to create local users/groups that match the users you want to use. The passwords from LDAP are used for authentication, but the permissions must still be managed inside of pfSense.
There is a ticket open (I think for LDAP… might be RADIUS) for passing group info back and forth to make it easier in the future but it's not all there yet.