Thank you very much Sumit, I think you may have pointed me in the right direction.
Haven't resolved it yet, but I have a hunch what the issue might be. I compared the
debug_level 9 output from this and also using our existing 389 authentication.
IPA:
(2021-10-27 21:25:11): [be[ipa.domain.com]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(uid=markj)(objectclass=posixAccount)(memberOf=cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com))][uid=markj,cn=users,cn=compat,dc=ipa,dc=domain,dc=com].
(2021-10-27 21:25:11): [be[ipa.domain.com]] [sdap_access_filter_done] (0x0100): User
[markj(a)ipa.domain.com] was not found with the specified filter. Denying access.
(2021-10-27 21:25:11): [be[ipa.domain.com]] [sdap_access_filter_done] (0x0400): Access
denied by online lookup
389:
(2021-10-27 21:47:45): [be[domain.com]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(uid=markj)(objectclass=posixAccount)(memberOf=cn=ServerAdmins,ou=Groups,dc=domain,dc=com))][uid=markj,ou=People,dc=domain,dc=com].
(2021-10-27 21:47:46): [be[domain.com]] [sdap_access_filter_done] (0x0400): Access granted
by online lookup
Further testing via ldapsearch seems to indicate the difference being that I can get group
membership information from an unauthenticated bind in 389 but not with IPA. I think I
just need to modify my sssd.conf for an authenticated bind and I think that might resolve
the issue. Hopefully.