To all of the haters, I present to you, the 30-day, 1-developer Active Directory replacement cycle:
Day 1: Implement an LDAP schema in your database of choice. Too easy.
Days 2 through 4: Write the Apache/SOAP/HTTPS server for serving authentication requests and queries. Could probably be done in 500 to 1000 lines of PHP.
Days 5 through 7: Write a PHP API for authenticating web users SSO style and getting either a list of user groups from an authentication request, or returning the results of a generic query. Could probably be done in 500 lines of PHP. Other languages can come later.
Days 8 through 10: Write a library to query the directory and parse the results. libcurl and tinyxml already cover 90% of what you need, there would probably only be 300 lines of code.
Days 11 through 12: Pick an existing FOSS login client for Windows and Linux, and modify it to use the library you wrote for authentication. It's probably a matter of replacing a single function.
Days 13 through 14: Implement a certificate authority for the domain controller using existing FOSS code, in order to define which machines are part of the domain
Days 15 through 20: Domain controller replication. Shouldn't be too hard if you picked your database well.
Days 21 through 30: Quality control, writing automated tests.
The only 2 parts that have a real potential for failure are:
1. The developer sucks at developing database schemas
2. The developer sucks at developing secure PHP applications
Now, mind you, when I said "finished in 30 days" I didn't mean that it would be 100% ready to be mainlined into the next release of RHEL at this point, but it could certainly be driving a virtual network of 5 or VMs running on my developer's workstation. Frankly, the biggest thing holding me back from doing it is that I don't want to waste my time if no major distros are going to adopt it, and it's a bit difficult to ask them to support something I haven't written yet; the chicken or egg, which came first? paradigm.