I have most of the piece parts done (IUCV driver, PAM driver, Kerberos and LDAP interfaces, Linux guest to do the heavy lifting) to enable VM to use any authentication sources supported by PAM, including AD. The remaining part is the necessary CP modules to normalize all the entry points to CP into a documented interface that doesn't require rebuilding CP, then convincing IBM to either ship VM with the RACF interface modules prebuilt, plus a dummy "RACF lite" that implements the defaut "defer" behavior, or agree on what the external interface should be in terms of service access points and ship that. I'd actually donate the service code if IBM would accept it.
As you might imagine, the last part is the hardest. If someone wants this badly enough to pay for it, then I can probably have a beta-ready version available in a month or so. -- db