java sasl authentication with openldap server

Can anyone see any reason this code doesn't work when ldapwhoami -U portal -h yorktown -Y PLAIN -ZZ works just fine? Is there something I'm doing that isn't equivalent?

LDAPConnection connection = new LDAPConnection();
connection.connect("yorktown.example.com", 389);
SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
SSLContext sslContext = sslUtil.createSSLContext();
ExtendedResult extendedResult = connection.processExtendedOperation(new StartTLSExtendedRequest(sslContext));
PLAINBindRequest bindRequest = new PLAINBindRequest("u:portal", "test");
BindResult bindResult = connection.bind(bindRequest);

this code gives the following exception thrown by the connection.bind call:

play.exceptions.JavaExecutionEx开发者_JAVA百科ception: SASL(-13): user not found: Password verification failed
        at play.mvc.ActionInvoker.invoke(ActionInvoker.java:285)
        at Invocation.HTTP Request(Play!)
Caused by: LDAPException(resultCode=49 (invalid credentials),
    errorMessage='SASL(-13): user not found: Password verification failed', 
    diagnosticMessage='SASL(-13): user not found: Password verification failed')
        at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:1710)

Either the documentation for PLAINBindRequest is wrong or there's something wrong with how OpenLDAP 2.4.23 is handling the request. Server logs revealed that the u: was being passed through to the server, resulting in DNs like uid=u:portal,dc=example,dc=com. Once I changed it to new PLAINBindRequest("portal", "test") it worked.