How do you authenticate a cloud service against a local Active Directory?



Is there a standardized way to set up AD authentication for a web service that does not have direct access to the AD controller? I'm thinking of a cloud application such as Google Apps that wishes to authenticate against an organization's AD.

I have googled around quite a bit but I don't seem to know the right keywords. Maybe someone else can elighten me or give me some search pointers.

FWIW, our applications are written in PHP using Zend Framework.