You may be interested in looking at Stanford's solution at:
http://webauthv3.stanford.edu/
It implements a WebKDC for Kerberos, among other useful features. It also has the capability to use SASL/GSSAPI into OpenLDAP. The product listed there today is Beta, tomorrow is the official release date of the production Webauth product.
Or UMich's solution, cosign:
http://weblogin.org/
http://middleware.internet2.edu/webiso/
There are plenty of solutions out there.
:wes