If I understand correctly you can create a tcl command "ldap_authenticate username password" and then patch ad_check_password to use this new command then modifying ACS to interact with your module should be relatively painless.
