I think I understand, you can do this for most services, including system login, ssh, etc... using PAM modules. In my case (not your case), I need to allow auth to local service as well as AD, so in my /etc/pam.d/common-account (note: your PAM structure may be different) and common-auth, I have (example is from common-account):
You could do something similar with pam_ldap. With regards to AD, you need to decide how you are doing that and whether or not you want to use winbind (which is what I use). There's a lot to PAM, it's very powerful, you may want read up on it first. I'm sure there are examples out there that do close to what you are wanting. Google is your friend.