Comment # 7 on bug 966869 from Howard Guo

For the record:

In email conversation Thomas confirmed the resolution by using the Leap build
with yet to be released patches. However, it was required to use
"ldap_use_tokengroups=False" for SSSD to correctly calculate group memberships.

In the upstream commit history, an SSSD developer noticed that 1.11.x release
does not sufficiently handle many corner cases, hence tokengroups should be
skipped by default, introducing a new patch
"0009-LDAP-Disable-token-groups-by-default.patch" to SSSD.

A maintenance update for SSSD should be available in several weeks.