We're the client Talli mentioned. What we did took a lot of customization and our situation is not as straightforward as yours but basically we set up an LDAP directory and a custom login page that ignores ACS passwords but gets them instead from the directory via ns_ldap. This also involved creating (well, finding and copying) a TCL procedure to handle SSHA encryption for the passwords since that seemed to be what OpenLDAP wanted to use.
We aren't using LDAP for user authentication (i.e. pam_ldap) since users never log in to that particular server directly, but that would be the simplest way to keep things down to one password. We use psynch to synchronize our passwords over several Windows and Linux systems, so I just customized the psynch script to run both passwd and ldappasswd for every synchronization.
I also wrote a script for adding users that creates both the Unix accounts and LDAP entries. If you provided the right information you could have the script create the user in your ACS database as well, though what I did was create a custom 'add user' page for our ACS installation that searches the LDAP directory for accounts that don't yet exist in ACS, it then offers them as options on a drop-down menu. You pick the one you want and goes on to the usual 'add user' page with as much information as possible filled in from LDAP.
It does take a lot of customization but once you have ns_ldap set up, you can use your LDAP data however you need to.
Sean Redmond
