Is this, say, a company intra-net in which multiple applications are installed, to be made available only for use by logged-in users?

If so, your situation is almost trivialized by existing Apache/nginix directives.   Use them to restrict the app to access only by specified users (LDAP criteria), and the app will then have access to known-good information about who the connected user is, as well as other trustworthy attributes about him.   (If such information can’t be obtained, because something is broken or misconfigured, redirect him to some suitably obnoxious place ...)   You don’t have to provide “login” functionality at all, as you do with a web-site that faces the world at large.

Also note:   generally, you should not cache the LDAP-related information in a traditional “session”-store ... in contradiction to the usual public-web-site practice.   You want the information to be fresh.   If someone updates the user’s central credentials, e.g. to grant some access or(!) to take it away, your site should thus be able to react immediately, as soon as the change has propagated.   A user should not have to reconnect to your site in order to pick-up on what has been centrally granted; nor should he, by virtue of remaining connected to it, continue to exercise privileges that have been centrally taken away.