For the record: In email conversation Thomas confirmed the resolution by using the Leap build with yet to be released patches. However, it was required to use "ldap_use_tokengroups=False" for SSSD to correctly calculate group memberships. In the upstream commit history, an SSSD developer noticed that 1.11.x release does not sufficiently handle many corner cases, hence tokengroups should be skipped by default, introducing a new patch "0009-LDAP-Disable-token-groups-by-default.patch" to SSSD. A maintenance update for SSSD should be available in several weeks.