I don't think mod_lookup_identity is what you are looking for, it does not deal with
access authorization.
You don't say how your users authenticate, so I'll assume you have that sorted
out. In that case, mod_authnz_pam might be the way to go. You mention you use SSSD, so
configuring just
account required pam_sss.so
(without the auth module) should delegate the authorization to SSSD.
Jan (not subscribed to the mailing list, replying via WebUI)