In our LDAP server the anonymus access is not allowed, so we need to authenticate with Manager DN and then search the login user attributes. When we "Test LDAP settings" we can see how the Lookup is successful:
 

Lookup
User lookup: successful
User ID: username
User Dn: CN=username,OU=people,OU=Collaborators,OU=Users,O=domain
User Display Name: username 
LDAP Group membership:  GLOBAL_GROUP   
LDAP Group lookup: successful (1 group)

But the login failed:
 

Login 
Authentication: failed for user "username"

Lockout
The user "username" will be unable to login with the supplied password.
If this is your own account this would mean you would be locked out!
Are you sure you want to save this configuration?

 
We have checked that the password is okey loging in directly on the LDAP.
 
We have captured the conversation between Jenkins and the LDAP and analyzing it with Wireshark we found that the LDAP plugin requires two times the read permission for reading the LDAP tree, the first time when the Manager DN search the login user, and a second time when the login user needs to read his own attributes before login, in our LDAP is not allowed for login users to read the attributes for security reasons, that king of users only can login on LDAP not read the tree:so the search find 0 attributes:
 
 

searchRequest
   baseObject: CN=username,OU=people,OU=Collaborators,OU=Users,O=domain
   scope: baseObject (0)
   derefAliases: derefAlways (3)
   sizeLimit: 0
   timeLimit: 0
   typesOnly: False
   Filter: (objectClass=*)    
      filter: present (7)
      present: objectClass
   attributes: 0 items

 
 
And produces that error:

0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:  'O=domain'

 
I think it is not necessary to read two times the LDAP three, the first time is necessary to lookup (Manager DN) but the login user shouldn't have to read again the LDAP to login.