SSSD Search Depth for AltSecIdentities

Ubuntu 20.04 tied to Windows 2019 AD. Single user account being mapped to multiple x509 strings. Works fine with 3-4 x509 strings but anymore and it fails even though users can properly login to their personal account with said x509 string

Not sure if there is a depth parameter for the certmap portion or domain portion, not seeing any in documentation that i've found. Perhaps it's also the timeout? Though I would think 400 would be high enough to parse through 5-8 x509 strings

SSSD.conf

[sssd]
domains = $REALMNAME
config_file_version = 2
services = nss, pam, sudo, ssh
debug_level = 10
certificate_verification = no_ocsp

[domain/$REALMNAME]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = $REALMNAME
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = $REALMNAME
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
debug_level = 10
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_certificate = altSecurityIdentities
krb5_validate = true
krb5_ccachedir = /var/tmp
krb5_keytab = /etc/krb5.keytab

[pam]
debug_level = 10
p11_child_timeout = 400
pam_cert_db_path = /etc/sssd/pki/sssd_auth_ca_db.pem
pam_cert_auth = True

[certmap/$REALMNAME/pancakes]
maprule = LDAPU1:(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<SR>{serial_number!hex_ur})

krb5.conf

[libdefaults]
default_realm = $REALM_IN_CAPS
pkinit_kdc_hostname = $realm_lowercase
pkinit_anchors = FILE:/etc/sssd/pki/sssd_auth_ca_db.pem
pkinit_pool = FILE:/etc/sssd/pki/sssd_auth_ca_db.pem
pkinit_identities = PKCS11:opensc-pkcs11.so:slotid=0:certid=01
default_ccache_name = KEYRING:persistent:%{uid}
canonicalize = True

SSSD / sssd

SSSD Search Depth for AltSecIdentities #7479