The motivation there was for laptop use cases, right? i.e. where you want to be able to authenticate a user even when you can't reach the LDAP server?
The motivation is mostly to abstract from different identity sources and authentication sources: You can configure LDAP, AD, IPA, local files, or SSSD itself (it has local indentity domain you are welcome to use). The point is that your application does not need to know what is the source. The source is configured outside the app.
I do like this idea. Instead of supporting both LDAP / DB based authentications and having to keep users in sync), perhaps in configure we can have the admin select an authentication mechanism, configure it (whether a new local install or an existing remote solution), and then access it via PAM (or GSSAPI or whatever abstract authentication mechanism)
That way Aeolus could support whatever custom authentication scheme whether or not it already deployed in an existing infrastructure (I'm sure this will make alot of sysadmins happy :-) )
-Mo