The SharePoint AD authority connector is reportedly returning user SIDs but not SIDs for those groups that the user belongs to. This is despite the code being identical in regard to the Active Directory authority connector.
It's not clear whether the code has a simple logic bug, or whether Microsoft changed their LDAP schema in some subtle way which breaks this functionality. It seems like maybe you were always supposed to use the attribute name "Token-Groups" rather than "tokenGroups"? See this article: