The current module needs a technical account to be used when doing sso, so that user info can be fetched from the ldap.
The AD module should be able to use the logged user credential to fetch information from AD.
The two attached patches are a proposal to make it possible. It use the ldap_sasl_bind which will automatically use the user credential to perform the bind on the server.
In order to work, browsers must be configured to allow user credential delegation, the user which has the service name HTTP has to be trusted for delegation and the apache configuration must have KrbSaveCredentials set to on.