As one having struggled with this very issue, I can tell you that in hindsight it’s easy, but it feels very hard (and it is very time consuming) while you do it. My suggestions are the following

Important Preliminaries

• make sure you understand as much as possible your own LDAP/AD server (and I say that while I don’t with mine, but I try)
• use ldapsearch a lot checking its content and how users are reported in it. For example I typically search simply -x "(objectclass=*)" to get as much information as possible from it
• study your sssd.conf (and/or your /etc/sssd/conf.d/*) and again try to understand as much as possible what’s in there and how it works

Essential

• make sure you have the INFO level of logging
• figure out where OnDemand or its LDAP logging things place the relevant logs (in my case it’s /var/log/message not sure why not /var/log/secure YMMV
• find in said logs the lines that have level=INFO msg="performing ldap search" and see what they are searching
• compare the previous step with what you have learned in the preliminaries – this is typically self-explanatory

Example

For example in my case I noticed in the log that the filter contained (userPrincipalName=my_username) instead of what my LDAP server wanted which is (userPrincipalName=my_username@domain.lab) (as reported by the regular sssd logs which were working). The easy solution was for users to login with their full domain, and that allowed me to move forward. I wanted to fix that, but couldn’t without the help of the fine folks in this list, as described at Simplify login for users using LDAP/DEX but of course it’s one thing to ask “it doesn’t work” it’s another to go with the specific query that you need vs the one that OnDemand/Dex/whatever creates based on your config.

Hope this helps!