The authorization identity request control is described in RFC 3829 and can be included in a bind request to indicate that the server should include the resulting authorization identity in the successful bind response.
In PingDirectory Server, this authorization identity is always in the form of a
distinguished name (DN), prefixed by dn: (for example,
dn:uid=jdoe,ou=People,dc=example,dc=com).
This control is useful to determine the DN of the authenticated user entry, especially when the bind request does not identify the user by a DN, such as if the client was identified by a username, a Kerberos principal, a client certificate, or an OAuth access token.