This really depends on SSSD configuration, in particular auth_provider. auth_provider=ldap requires either port 389 (with TLS) or 636 (ldaps). auth_provider=krb5 requires port 88.
ipa and AD providers require both actually, because even identity data is encrypted with GSSAPI, so you need port 88 to prime the ccache to do a GSSAPI LDAP bind, then port 389 to search LDAP and then also again port 88 for authentication.
IPA and AD providers also rely heavily on DNS, so port 53 might be appropriate as well.