I have a Linux domain running with sssd, let's call this domain NJ.
I'd like machines on the NJ domain to be able to authenticate against an Active Directory ldap server which resides on a different domain (called NY) which is behind a firewall.
Would it be enough to allow only port 389 between both domains or are there any other ports which are required in order for the machines on the NJ domain to authenticate against ldap servers in the NY domain?
You should use TCP ports 389 and/or 636. Port 636 is for LDAPS, which is LDAP over SSL. Encryption on port 389 is also possible using the STARTTLS mechanism, but in that case you should explicitly verify that encryption is being done.
Microsoft's KB article says:
Also see the related Server Fault question.
As long as it LDAP auth only (and not AD/Kerberos etc.),
389should be sufficient.This really depends on SSSD configuration, in particular auth_provider. auth_provider=ldap requires either port 389 (with TLS) or 636 (ldaps). auth_provider=krb5 requires port 88.
ipa and AD providers require both actually, because even identity data is encrypted with GSSAPI, so you need port 88 to prime the ccache to do a GSSAPI LDAP bind, then port 389 to search LDAP and then also again port 88 for authentication.
IPA and AD providers also rely heavily on DNS, so port 53 might be appropriate as well.
SSSD can be configured to retrieve user information from the Active Directory Global Catalog. That would require port 3268 https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
If you will access any SAMBA shares, then dynamic ports will be necessary to verify access to folders before opening them.
This TechNet document lists all potential ports, depending on the features you will use. It also has a link to restricting dynamic ports if you want to limit the number of potential ports. https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx