IdM sudo not working

I am trying to get sudo working in IdM.

RHEL 8.5
ipa-server: 4.9.8-7.module+el8
sudo: 1.8.29-8.el8
libsss_sudo: 2.6.2-4.el8

/etc/nsswitch.conf:
sudoers: files sss

/etc/sssd/sssd.conf (domain and host names obfuscated):
[domain/my.domain]
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = MY.DOMAIN
id_provider = ipa
ipa_domain = my.domain
access_provider = ipa
auth_provider = ipa
chpass_provider = ipa
ipa_hostname = myhost.my.domain
ipa_server = myhost.my.domain

sudo_provider = ldap
ldap_uri = ldap://myhost.my.domain
ldap_sudo_search_base = ou=sudoers,dc=my,dc=domain
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myhost.my.domain
ldap_sasl_realm = MY.DOMAIN
krb5_server = myhost.my.domain

[sssd]
domains = my.domain
certificate_verification = ocsp_dgst=sha1
services = nss, pam, ifp, ssh, sudo

[sudo]

[ifp]
allowed_uids = ipaapi, root

"id user":
uid=300000(user) gud=300000(user) groups=300000(user)

"sudo -U user -l":
User user may run the following commands on myhost:
(user : ALL) NOPASSWD: ls /root

"su - user" followed by "id":
uid=300000(user) gid=300000(user) groups=300000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

To me, all the configuration looks correct.

But, when I do "sudo ls /root" as user:
1) it asks for a password, which for that command it should not, and
2) I get "Sorry, user user is not allowed to execute /usr/bin/ls /root as root on myhost.my.domain"

Can someone tell me what I have configured incorrectly?

Robert.