When the baseDN is not configured but only the Domain has been set in hive-site.xml, LDAP Atn provider cannot locate the user in the directory. Authentication fails in such cases. This is a change from the prior implementation where the auth request succeeds based on being able to bind to the directory. This has been called out in the design doc in
But we should allow this for now for backward compatibility.