Your sssd configuration does not mention what DN is used to bind to the
LDAP server to retrieve the data. This means you are using anonymous
bind. Since FreeIPA 4.0 there is a number of attributes that are not
available to anonymous binds, including 'member' and 'memberof'. Thus,
SSSD does not see membership information when using anonymous binds.
In normally enrolled IPA clients host/ipa client IPA REALM Kerberos
principal is used to bind to LDAP with GSSAPI when SSSD talks to LDAP
server, thus all binds are authenticated and 'member'/'memberof'
attributes are accessible.
So you either need to enroll machines to IPA and switch your sssd.conf
to use 'ipa' providers instead of ldap, or define a system account that
can be used to bind to LDAP by your sssd clients. In short term
perspective that would probably be an easier fix. For the latter see
sssd-ldap(5), ldap_default_bind_dn, ldap_default_authtok options.