Hi Remy,
Rubycas is Central Authentication Service as you know and as I understand you looking for Central Authorization Service (not authentication).
To store all roles and groups in one place and gives possibility others applications to reuse that.
I was looking for something like that few months ago but I couldn't find anything suitable for me.
I thinking about starting new module as part of rubycas project to provide this functionality (CAAS - Central Authentication and Authorization Service) but my time is very limited right now so probably it will not happen soon.
In OpenLdap I have all users with roles and groups. ActiveLdap is used as interface for openldap, easy very easy to use and integrate with any existing application.
I also create one small application "admin panel" where I can add new users and change roles for them (there is many existing application for that you can quite easy google something)
This solution is not the best but I think one of the simplest.
You can do that in few days.
I just can't understand why you do not want to use AD/Ldap as database for users and roles and groups?
If you will split those two database you will have additional problem with synchronization and probably much more.
You can of course use Multiple DITs in ldap and have those databases in one places I think activeldap should also handle that but this is additional work.
Anyway using ActiveLdap you can quite easily achieve that.
Best regards