For the authentication, I use a CustomAuthenticator that extends AbstractAuthenticator.

If the authentication fails I use LdapAuthenticationException or LdapNoPermissionException and I appreciate a lot to be able to provide some hint (String explanation) why the exception was thrown.

Unfortunately, this hint never reaches the client. I only sees "error code 49 - Bind failed" - the equivalent is visible in the server log as
<<Ldap Result
            Result code : (ResultCodeEnum[INVALIDCREDENTIALS=49]) invalidCredentials
            Matched DN : 'null'
            Error message : 'Bind failed'>>

It appears that the culprit is org.apache.directory.server.core.authn.AuthenticationService.bind(NextInterceptor next, Name bindDn, byte[] credentials, List mechanisms, String saslAuthId) throws NamingException

 where that expception is caught, neither its class is analyzed in detail nor is there any attempt to use "explanations" when re-throwing even though an LdapAuthenticationException constructor does exist that takes a "msg" for explanations.

Therefore my suggestion: please make sure that it is possible to provide a user more information by optionally appending an "explantion" to the 'Bind failed' a client currently sees in an ldap client.