In the PingDirectory server, this authorization identity is always in the form of a distinguished name (DN), prefixed by dn: (for example, dn:uid=jdoe,ou=People,dc=example,dc=com).

This control is useful to determine the DN of the authenticated user entry, especially when the bind request does not identify the user by a DN, such as if the client was identified by a username, a Kerberos principal, a client certificate, or an OAuth access token.