Two identities are defined for SASL authentication: the authentication identity
and the authorization identity. RFC 2222 states:

    "With any [SASL] mechanism, transmitting an authorization identity
     of the empty string directs the server to derive an
     authorization identity from the client's authentication
     credentials."

In "JNDI Implementor Guidelines for LDAP Service Providers" the definition of
the java.naming.security.sasl.authorizationId property states that:

    "If this property is not set then the value of the
     java.naming.security.principal property is used as the
     authorization ID."

This definition forces a JNDI user to explicitly set the property
to the empty string in order to invoke the behaviour described in RFC 2222.
The derived identity approach is the general case and therefor it should be
enabled by default.

The definition of the property should be changed to read:

    "If this property is not set then the authorization ID
     is set to the empty string in accordance with RFC 2222."

and the LDAP provider should be altered to match this definition.