Right now, there are around 10 calls to LDAP during single HTTP request for user authentication.
Problem is that LDAP (UserFederation in general) doesn't suffer from the model cache and each call to UserFederationManager methods like:
performs call to LDAP. One possibility is to improve at Keycloak level (like at least some per request cache of "isValid" result, or have possibility to configure if "isValid" checks should be performed or not).
Also it can help to have some caching layer at picketlink level (however this helps just with LDAPUserFederationProvider but not with custom providers provided by Keycloak users)