Hi all, welcome a new newbie [In dire need of help as they usually are]

I've been asked to change our webapp authentication to integrate with AD. I know this is a JAVA forum, but I figured this would be the best place to ask....

Some background:-
Firstly, the webapp uses a J2EE Framework (& Tomcat & Hibernate & Struts etc).
The user credentials currently come from a Postgres database.
The DB design makes use of a userId field in the users table as a foreign key for several other tables (userToBusinessGroup/userToScheduledObj etc).
We were looking at directory service replication products such as Calendra to keep AD/LDAP/SQL in sync, but thats not an option anymore.

Now, I am quite comfortable in writing an authentication component with JNDI, after all, AD is an 'implementation' of LDAP.
What confuses me is how to maintain some kind of referential integrity in the DB as accounts are removed/updated etc? I could use the SAM account name, or the [SID?] as the key for the DB's tertiary tables, but am at a loss to figure how to avoid orphaning these records as the AD records are updated.

I'm thinking that I may have to catch a bucket load of record not found exceptions, and maintain some mechanism for removing the orphaned records, once the account has been removed or changed in AD. This just seems plain nasty though

Can anyone suggest a better way?
Maybe a scheduled LDIF export that a servlet can pick up, and use to replicate the accounts to the DB?

Thanks in advance for any suggestions.