[breakwaterlabs]

First off, it's primarily kerberos with LDAP frosting. Kerberos is what makes the AD world go round and for much of what happens in windows its purely resting on tickets and the PAC, not LDAP queries. Second, there's a lot of special bits that others do not replicate.

For instance shadow rights / MIM / PAM does not to my knowledge have an OSS equivalent.

Windows Hello for Business is the only moderately secure take on biometric auth into kerberos that I have heard of.

LAPS is the only secure, native LDAP take I have heard for managing root passwords, which fills a big compliance need for a lot of orgs.

And there is quite a lot about GPO that works wonderfully when paired with sssd, e.g. access control.