Well as I know the default ldap login module use the authentication based on bind operation to ldap server. This means that if you want to use this module you have to be able to login to server with supplied username and password form your client, e.g. users that be able to login to your site via ldap login module can login to your ldap server directly if they can access ldap server. So if you want more you have to code new ldap login module that login with root principal and credential and know where to look for user and so on. Then the users still can login to your application but can't login to the ldap because only root can that.
yeah...specify ldap server credentials in login-config.xml