About six weeks ago I wanted to setup an OpenACS 4 bboard as a kind of "online suggestion box". This was really just a mockup for a very few users to demonstrate OpenACS's email alerts and other features, so I didn't worry about being sloppy. Because of that and because I'm working on Windows 2000, this would not be the way to go for a production environment with thousands of users. If I were doing this for a real site, I would probably have used nsldap, SSL, an option to not do the fallback, etc.
I wrote a Perl script that takes a name and password and checks it against the Active Directory via LDAP. It used Win32::OLE. If authentication succeeds, the script fetches the user's full name from the AD and prints it. The Perl script just gets exec'ed from a TCL function that checks the return value and any output.
All of the changes I made to OpenACS were in acs-subsite/www/register/. Most of them were small things, like changing the ADP pages to say "Windows Username" instead of "Email". The authentication logic in user-login.tcl is the only real code that needs to be changed. If authentication succeeds, I check the username against the existing OpenACS accounts. If it is not there, I create the user using the first and last names returned by the Perl script. If ADSI authentication fails it uses the built-in authentication. Since this was a toy installation, I didn't bother with deleting accounts, etc.