In the PingDirectory server, this authorization identity is always in the form of a distinguished name (DN), prefixed by dn: (for example, dn:uid=jdoe,ou=People,dc=example,dc=com).

This control is useful to determine the DN of the authenticated user entry, especially when the bind request does not identify the user by a DN, such as if the client was identified by a username, a KerberosKerberos A network authentication protocol to provide strong authentication for client/server applications using symmetric key cryptography and a trusted authentication service (Key Distribution Center). The Key Distribution Center (KDC) authenticates the client and issues tickets allowing access to the server. Kerberos is the default authentication technology used by Microsoft. principal, a client certificate, or an OAuth access tokenaccess token A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources..