The authorization identity request control is described in RFC 3829 and can be included in a bind request to indicate that the server should include the resulting authorization identity in the successful bind response.
In PingDirectory Server, this authorization identity is always in the form of a
distinguished name (DN), prefixed by dn:
(for example,
dn:uid=jdoe
,ou=People
,dc=example
,dc=com
).
This control is useful to determine the DN of the authenticated user entry, especially when the bind request does not identify the user by a DN, such as if the client was identified by a username, a Kerberos principal, a client certificate, or an OAuth access token.