I guess what you want to do is:

• use the built-inLdap policy to perform an Authentication against your LDAP server.
• with the return of that, I suppose you will receive a set of attributes on the user. Group membership, or roles, etc. And at that point you will call to the external Authorization service. You didn't describe this authorization service; So you will invoke this thing in a service-specific manner. Using ServiceCallout, or JavaScript with httpClient, or ... some other way.

You didn't describe the goal of the authorization call.

Normally this is done when issuing tokens that carry user context.

The client app does something like:

POST /oauthv2/token

...sending along the appropriate client and user credentials.

And then the API endpoint at /oauthv2/token (hosted by Apigee Edge and configured by you) will do the required steps:

• verify user identity with LDAP
• Perform Authorization lookup via your external service
• verify client identity (implicitly) with OAuthV2/GenerateAccessToken. And attach information received from the Authz service (like group names, role names) as custom attributes to the token upon issuance.
• Return the token to the client app.

Here is an example that walks you through this kind of flow. It uses a mock service for validation of user credentials. You could replace that with an Ldap policy in your case.