Currently mod_auth_ldap cannot authorize users that are not authenticated with mod_auth_ldap. The attached patches to mod_auth_ldap.c and util_ldap.c enable this functionality by looking up the user account from LDAP in authorization phase even if the user is authenticated by some other module.
Created attachment 11163 [details] Proposed patch for mod_auth_ldap.c
Created attachment 11164 [details] Proposed patch for util_ldap.c
Note that the line numbers in these patches are probably offset because of other changes I have made but the context should be clear. The patches are against 2.0.49 LDAP files.
Not sure if this is a good idea to add to v2.0.x of httpd, but when mod_auth_ldap is split into mod_authn_ldap and mod_authz_ldap in compliance with authentication in httpd v2.1, this will definitely be required.
This has now been fixed as part of bug 31898. 2.1 includes the full fix, only the util_ldap changes have been backported to 2.0.