All plugins registered for a certain task (like authenticiation, authorization) are ordered (and can be ordered by the administrator) in terms of "first ask LDAP, then ask Plone" as a site-wide configuration.
So the Plone authentication part will ask all authentication plugins in their pre-defined order if they can authenticate given credentials. The first plugin that can authenticate a user, wins.
A default PAS configuration for the authentication part looks like this (with source_users being the Plone default user database).
Thanks a lot for the doubt clarifications.
I have submitted the initial draft, would be adding more details by tomorrow and finishing it
meanwhile, any views over implementation details would be appreciated ( if you can ).