There should be a standalone "who is online" patch somewhere burried in the bug-tracker. Ask Björn Kiesbye about it. It does exactly what you envisioned.
Most likely I missed it, but I did not see how you could change the password on an LDAP server using the OpenACS webfrontend. So no suggestion for splitting it up.
My reason for asking concerning time and what is funded: We need to get LDAP support ready til June. So if you external authentification is ready and supports LDAP as an external source, great. If LDAP as an external source is missing, we can build it. If all is missing, we are applying the same patch we did for ACS 3.5.
Have you thought about linking to other sites with an automatic setting of the authentification cookies of the remote site? Though it does require some development on both systems, it is useful especially if you think about Single Sign On. If interested I can ask Denis to post a working solution (theoretically, as ACS 3.5 code probably doesn't do you good).
