Check out the "auth_user_info" service contract, which is designed to query the external authentication server for user info in real-time, when a user who's not in the OACS users table tries to log in. Sounds like what you want for #1.
"Authentication" and "Password management" let you choose the service contract that implement the given functionality for the given authority. Local is the implementation that authenticates/changes password in the local users table. LDAP is the one that talks to an LDAP server. If you install the auth-pam package, PAM would be added to the options.
Hope this helps,