I’ve managed to make some third-party things authenticate against Active Directory using Lightweight Directory Access Protocol. For instance I got Openfire Chat to work, and I got some photocopiers to allow access based on AD accounts. Zeroshell isn’t as straight forward; my first attempt didn’t work well.
I think (though I don’t know) that you could use either LDAP or Kerberos Protocol, but not both. You would make the local LDAP or Kerberos server a proxy for your Active Directory domain, much like you could make ZS DNS use your domain controllers as DNS forwarders. Actually, making K5 or LDAP work right would first require making DNS forwarding work, at least for your AD domain.