I hope someone is willing to entertain my questions here ; )

Right now we use a product called ClearTrust from RSA.  It attaches to our
Active Directory via LDAP for user authentication to various [web]
resources.  We use the uPN for user identification and, because users are
stupid and lazy, we append the domain portion of the name for them via the
web form; the user enters john.smith and we submit
john.smith@subdomain.ourdomain.com.  ClearTrust then attempts an LDAP bind
to AD to determine if the name and password are valid.

Now, in typical corporate fashion, I have to get this authentication
working for not one, but 4 forests in 90 days.

Here are the requirements:

[Almost] user-transparent.
[Almost] no downtime.
No significant changes to source directories.

To me, this sounds like I need a metadirectory, but I have no experience
here.  This is how I feel the metadir working (stop me when I don't make
sense):

User enters name and chooses domain on logon form.
ClearTrust tries to auth to metadir.
Metadir looks at domain and forwards (referral, right?) to the right
source directory.  How does this work?  Is this a standard LDAP thing?
ClearTrust attempts auth at referred directory.

Is it possible to sync all records into the metadir, instead?  You can't
do this with the AD passwords via LDAP, right?

Any guidance is much appreciated . . . products, standards, problems, etc.
. . are all open game.

Thanks,
Chaz