The attached patch addresses:
https://fedorahosted.org/sssd/ticket/2235
The memberof example was misleading and was making aministrators think
that the ldap_access_filter can resolve nested group memberships.
The alternative I was considering was changing the example to use a
different attribute altogether, but I was struggling to come up with an
example that wouldn't be too artificial (like
ldap_access_filter=/bin/bash).