The authorization identity request control is described in RFC 3829 and can be included in a bind request to indicate that the server should include the resulting authorization identity in the successful bind response.
In PingDirectory Server, this authorization
identity is always in the form of a distinguished name (DN), prefixed by
dn: (for example,
This control is useful to determine the DN of the authenticated user entry, especially when the bind request does not identify the user by a DN, such as if the client was identified by a username, a Kerberos principal, a client certificate, or an OAuth access token.