Well, I'm finally getting the hang of LDAP (OpenLDAP) and Apache's auth_ldap. I can now create, modify and delete users over the web, and I can authenticate them against apache. I'm sure that I could get the LDAP PAM module working, but I don't need it for what I'm doing now.
Now I can create a list of users, send them randomly-generated passwords, and they can go to their directory and change their own passwords to whatever they like.
The only point that I dislike, right now, is that I can't seem to get PHP to correctly create a SSHA hash of a password by itself - I'm left to doing a nasty backtick hack to call ldappasswd. I can create DES + salt hashes, but I'd really prefer the extra security of SSHA. If anyone knows of a way to do this from within PHP, please let me know.