You definitely want all of your validation and authentication to occur at the lowest common denominator point. You don't want to put heavy authentication on one front-end only to have a hole or weak authentication on another front-end. Better to use a common scheme on the back-end (LDAP) and allow the front-ends to just use what's there. It greatly reduces complexity (usually) and is significantly more robust.
I'm a bit unclear why you can't use ACL's (ACI's) in LDAP to do this. Generally you would have the user authenticate against the LDAP database (e.g. by binding to it using their distinguished name) first, and then when they're authenticated, try to do operations as that user (e.g. changing their password). I've only had a small amount of experience with ACI's with a couple of LDAP platforms, but they seemed similar enough for me to think they were the same syntax, but I may not have been looking close enough.
So basically, it seems to me that you should be able to do this by putting all of your access control and authentication in LDAP. Not sure though..