Currently from java I am connecting to LDAP with the following code, very typical example:

    Hashtable<String, String> env = new Hashtable<String, String>();

    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, url);
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, user);
    env.put(Context.SECURITY_CREDENTIALS, password);

    LdapContext ctx = null;

    try
    {
        ctx = new InitialLdapContext(env, null);
        return true;
    }
    catch (NamingException ex)
    {
        return false;
    }
    finally
    {
        if (ctx != null)
        {
            try {
                ctx.close();
            } catch (NamingException e) {
                log.warn(e.getMessage());
            }
        }
    }

This works in terms of authenticating the user. However the LDAP administrator is telling me that I am not disconnecting gracefully when the bind is not successful. The error on the LDAP side is (e.g.):

[24/Jan/2013:13:20:44 -0500] conn=249 op=-1 msgId=-1 - closing from [ipaddress]:44724 - A1 - Client aborted connection -

He also says when it is a successful authentication, the disconnection is graceful. I guess this is because I do the ctx.close() in that situation.

However, when authentication fails, there's actually an exception thrown from the new InitialLdapContext(env, null) line. Therefore no context is returned, and no close is called on any context.

Is there some way to retrieve some kind of connection object, before attempting the authentication, so that I can close it afterwards whether or not auth was successful?

Why does he care between a graceful and non-graceful close? Clearly your close is being executed in the only relevant case: the case where you succeeded. In the other case there is nothing to close, so nothing you can call. The JNDI LDAP provider closes it in the other case, and clearly it is that which is doing the abortive close. This is all under the hood in the JNDI LDAP provider. Nothing you can do about it. I suggest he find something else to worry about that's actually important.

Searching LDAP normally returns

NamingEnumeration<SearchResult> results

which you also need to close():

} finally {
            if(results != null) {
                try {
                    results.close();
                } catch (NamingException e) {
                    LOG.error("Error closing LDAP results", e);
                }
            }

Construct the context object before adding any authentication details. Then, use addToEnvironment to add in the credentials. Finally, perform a very simple search (My approach is to lookup the username's distinguishedName attribute). The search will fail if the credentials aren't good, and you'll still have a context object to close.

An added bonus of this approach: you can maintain a pool of context objects and avoid constantly connecting/disconnecting to perform authentication.

Hashtable<String,String> environment = new Hashtable<String,String>();
environment.put("java.naming.provider.url", url);
environment.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");

InitialLdapContext context = new InitialLdapContext(environment, null);

...

context.addToEnvironment("java.naming.security.principal", principal);
context.addToEnvironment("java.naming.security.credentials", credentials);

...

// execute some kind of search, based on your needs