When specifying LDAP as your authentication service, you must specify what LDAP server to use.
Set the property derby.authentication.server to the URL to the LDAP server. For example:
derby.authentication.server=ldap://godfrey:389/
The LDAP server may be specified using just the server name, the server name and its port number separated by a colon, or an "ldap" URL. If a full URL is not provided, Derby will by default use unencrypted LDAP. To use SSL encrypted LDAP, a URL starting with "ldaps://" must be provided. For details on the derby.authentication.server property, see the Derby Reference Manual.
Grant java.net.SocketPermission to derby.jar, so that the Derby code is allowed to contact the LDAP server to perform the authentication. See Granting permissions to Derby for more information.