Overview#

MUST or the terms "REQUIRED" or "SHALL", (RFC 2119), which are Case-sensitive (RFC 8174) mean that the definition is an absolute requirement of the specification.

An implementation which does not include this particular option MUST be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality.

In the same vein an implementation which does include this particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)

We may use MUST in other contexts but we are implying the same interpretation as a Best Current Practice

LDAP#

MUST or the term "REQUIRED" indicates the Attributes that MUST contain values within the specified ObjectClass.

More Information#

There might be more information for this subject on one of the following:

• 2.16.840.1.113719.1.1.4.1.96
• 2.5.6.13
• 4G
• ACDC Grant type
• ACL (eDirectory Attribute)
• ARecord
• AbzillaPerson
• Access Control Policy
• Access Token Type
• Access Token Validation
• AccountExpires
• AccountNameHistory
• Acr_values
• AdministrativeRole
• AdministratorsAddress
• AllowedAttributesEffective
• AnyPolicy
• Application_type
• Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
• Assistant
• AssociatedDomain
• AssociatedInternetGateway
• AssociatedName
• Attribute references
• AttributeSchema
• AttributeSecurityGUID
• AttributeSyntax
• Aud
• Audio
• Authentication Context Class Reference
• Authentication Context Class Values
• Authentication Request
• AuthorityKeyIdentifier
• Authorization Code Flow
• Authorization Response
• Authorization Server Authentication of the End-User
• Authorization Server Request End-User Consent-Authorization
• Authorization_endpoint
• Authorized party
• Automount
• AutomountMap
• AutomountMapName
• Bank Secrecy Act
• Best Practices For LDAP Naming Attributes
• Best Practices OpenID Connect
• Best Practices Password
• Biometric Sensor
• BirthName
• Birthdate
• BootableDevice
• BuildingName
• CTAP2 Platform Host
• Cache-Control
• Certificate Extensions
• Certificate Validation
• Certificate Version
• ChangeLogEntry
• ChangeNumber
• Changelog
• Changes
• Channel Binding
• Children
• Cipher_suites
• City
• ClassDisplayName
• Client Secret
• ClientHello
• Cn
• Co
• CollectiveAttributeSubentries
• CollectiveAttributeSubentry
• CollectiveExclusions
• Commitment Scheme
• Company
• Compliance Layer
• Consent Receipts
• Container
• Contract of Adhesion
• Country
• Country-Code
• CountryName
• CountryOfCitizenship
• CountryOfResidence
• Covert Redirect Vulnerability
• CreateTimestamp
• CrossRef
• Cryptographic Hash Function
• Cryptographic Key
• Cryptography
• Custodian
• DC
• DID Authentication
• DID Context
• DID Document
• DID Fragment
• DID Guardian
• DID Operations
• DID Service Endpoint
• DID Subject
• DID descriptor objects
• DID method specification
• DITContentRules
• DITStructureRules
• DN Syntax
• DNSName
• DSA ObjectClass
• Data
• Data Processor
• Data Security Analytics
• Data anonymization
• DateOfBirth
• DateOfDeath
• DeathDate
• Decentralized Identifier
• DefaultHidingValue
• DefaultObjectCategory
• DepartmentNumber
• Deprecating Secure Sockets Layer Version 3.0
• Description
• Device
• DhcpDomainName
• DhcpRelayAgentInfo
• DicAppData
• DicAppInfo
• Digital Signature Algorithm
• DirXML-ConfigValues
• DirXML-DriverFilter
• DirXML-DriverStartOption
• DirXML-JavaDebugPort
• DirXML-NTAccountName
• DirXML-NamedPasswords
• DirXML-PasswordSyncStatus
• DirXML-ShimAuthPassword
• DirectReports
• DisplayName
• Dmd
• Domain
• Domain Authorization Document
• Domain Validated Certificate
• DomainComponent
• DomainControllerFunctionality
• DomainFunctionality
• Draft-behera-ldap-password-policy
• DsRevision
• EDirCloneLock
• EDirectory Monitor Entry
• EmailAddress
• EmployeeNumber
• Enc
• Encoding claims in the OAuth 2 state parameter using a JWT
• EncryptedExtensions
• EndGroupingResponse
• EnhancedSearchGuide
• Event Data Recorder
• Exp
• Exploitability Metrics
• ExtendedCharsAllowed
• ExtensibleObject
• FHIR Resource
• FIDO Authenticator
• FacsimileTelephoneNumber
• Family Educational Rights and Privacy Act
• Fast Healthcare Interoperability Resources
• Federated Authorization for UMA 2.0
• Fiduciary Responsibility
• FilteredReplicaUsage
• Filtering for Bit Fields
• ForestFunctionality
• Form Post Response Mode
• Frontchannel_logout_uri
• FullName
• Functional Requirement
• Gecos
• Gender
• GidNumber
• Google Authenticator
• Grace Logins
• GroupOfNames
• GroupType
• HIPAA Covered Entity
• HTTP 100
• HTTP 503
• HTTP Body
• HTTP Header Field
• HTTP Status Code
• HTTP Warn Codes
• HelloRetryRequest
• Holder
• HomeCity
• HomeDirectory
• HomeInfo
• HomePhone
• HomeState
• HostResourceName
• HttpSessionTimeout
• IPAddress
• Id_token_signing_alg_values_supported
• Identify and Authenticate access to system components
• Identity Token
• Identity Token Claims
• Identity Token Validation
• Increment
• IndexDefinition
• InetOrgPerson
• Informational
• Initialization Vector
• Initials
• Initiate_login_uri
• IntegerFirstComponentMatch
• Internet Relay Chat
• IpProtocol
• IpProtocolNumber
• IpService
• IpServicePort
• IpServiceProtocol
• IsDefunct
• IsDeleted
• IsEphemeral
• IsRecycled
• Iss
• Issuer
• JOSE Header
• JSON Resource Descriptor
• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
• JSON Web Token Claims
• JWK Set
• Kerberos
• Kerberos SSP
• Key Distribution Center
• Key words for use in RFCs to Indicate Requirement Levels
• KeyCertSign
• KeyUsage
• LDAP Entry
• LDAP Three-valued logic
• LDAP URL
• LDAPAdminLimits
• LOA 2
• LOA 3
• LabeledUri
• Language
• LanguageId
• LdapGroup
• LdapGroupDN
• LdapInterfaces
• LdapKeyMaterialName
• LdapServerIdleTimeout
• LdapStdCompliance
• LegacyExchangeDN
• LinkID
• LocalReceivedUpTo
• Localhost
• Locality
• LoginDisabled
• LoginMaximumSimultaneous
• LoginShell
• Login_hint_token
• Logout Token
• Loopback Interface Redirection
• M-04-04 Level of Assurance (LOA)
• MUST
• MacAddress
• Mail
• MailboxRelatedObject
• ManagedBy
• Manager
• MapiID
• Member
• MemberOf
• MemberQueryURL
• MemberUid
• Memory
• Microservice
• Mobile
• ModifiersName
• ModifyTimestamp
• MsDS-AdditionalSamAccountName
• MsDS-GroupManagedServiceAccount
• MsDS-HasInstantiatedNCs
• MsDS-LockoutDuration
• MsDS-LockoutObservationWindow
• MsDS-LockoutThreshold
• MsDS-MaximumPasswordAge
• MsDS-MinimumPasswordAge
• MsDS-MinimumPasswordLength
• MsDS-PSOAppliesTo
• MsDS-PasswordComplexityEnabled
• MsDS-PasswordHistoryLength
• MsDS-PasswordReversibleEncryptionEnabled
• MsDS-PasswordSettings
• MsDS-PasswordSettingsContainer
• MsDS-PasswordSettingsPrecedence
• MsDS-PhoneticCompanyName
• MsDS-PhoneticDepartment
• MsDS-SupportedEncryptionTypes
• MsDS-TrustForestTrustInfo
• MsDS-User-Account-Control-Computed
• Mutual Authentication
• Mutual TLS Sender Constrained Resources Access
• NDS Master Replica
• NDS Unknow Entries
• NDSPKIKeyMaterialDN
• NDSPKISDKeyAccessPartition
• NDSPKISDKeyServerDN
• NDSRightsToMonitor
• NICI
• NTDSDSA
• NTDSService
• NTDSSiteSettings
• Name Form Description
• NameForms
• Naming Attributes
• Nbf
• NdsLoginProperties
• NdsStatusLimber
• NdspkiIssueTime
• Netlogon attribute
• NetworkAddress
• NewRDN
• NewSuperior
• NisDomain
• NisDomainObject
• NisMap
• NisMapEntry
• NisNetgroup
• NisNetgroupTriple
• NisObject
• Nonce
• NspmAdminsDoNotExpirePassword
• NspmComplexityRules
• NspmConfigurationOptions
• NspmDoNotExpirePassword
• NspmMaximumLength
• NspmPassword
• NspmPasswordAux
• NspmPasswordKey
• NspmPasswordPolicy
• NspmPasswordPolicyDN
• NspmPolicyAgentAIX
• NspmSpecialAsLastCharacter
• OAuth 2.0 Audience Information
• OAuth 2.0 Client Registration
• OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens
• OAuth 2.0 Security Best Current Practice
• OAuth 2.0 Security Considerations
• OAuth 2.0 Threat Model and Security Configurations
• OAuth 2.0 Token Revocation
• OAuth 2.0 for Native Apps
• OAuth Confidential Client
• OAuth Dynamic Client Registration Metadata
• OAuth Scope Example
• OAuth Scope Validation
• OAuth Scopes
• OAuth Token Request
• OAuth Token Response
• OMObjectClass
• OMSyntax
• Obituary
• Object Class Description
• Object Class Inheritance
• Object(Access-Point)
• ObjectClass=unknown
• ObjectClasses
• ObjectGUID
• Offline_access
• OncRpc
• OpenID Connect Authentication Response
• OpenID Connect Back-Channel Logout
• OpenID Connect Claims
• OpenID Connect Federation
• OpenID Connect Front-Channel Logout
• OpenID Connect Session Management
• OpenID Connect Standard Claims
• OpenID Provider Issuer Discovery
• Openid-configuration
• Organization
• OrganizationalUnit
• Ou
• Owner
• Partition
• PartitionStatus
• PassSyncConfig.cpl
• Password Character Composition
• Password Flow From Active Directory to eDirectory
• Password Life Time
• Password MUST Change
• Password Maximum Age
• PasswordExpirationTime
• PasswordMinimumLength
• PasswordsUsed
• PathLenConstraint
• Payment Services Directive
• Person
• Photo
• PhysicalDeliveryOfficeName
• PlaceOfBirth
• Policy Based Management System
• PolicyConstraints
• PosixAccount
• PostalCode
• PreferredServerList
• PresentationAddress
• PrimaryGroupID
• Privacy Considerations
• Private-Use URI Scheme Redirection
• Product Owner
• Production Implementation
• Production tier
• Prompt Parameter
• Proof Key for Code Exchange by OAuth Public Clients
• Proof-of-Possession
• Protected Data
• Protection API
• Prototyping
• Proxy
• ProxyAddresses
• PurgeVector
• PwdAccountLockedTime
• PwdExpireWarning
• PwdInHistory
• PwdMinAge
• PwdMustChange
• QueryPolicy
• QueryPolicyObject
• Queue
• REQUIRED
• RFC 2119
• RdnAttId
• Reciprocal OAuth
• Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
• Record Protocol
• Reference
• Removing Failed Server
• Replica
• ReplicaUpTo
• Reporting Body Identifier
• Representational State Transfer
• Request_object_signing_alg
• Resolution_AttrubuteType
• Resource
• Response_type
• Revision
• Revocation Request
• Revocation_endpoint
• Roaming Authenticator
• RootDSE
• SASLoginPolicy
• SASService
• SCIM Common Attribute
• SCIM Delete Request
• SCIM Password Management Extension
• SCIM Replace Request
• SCIM Schemas Attribute
• SCIM externalId
• SCIM id
• SCIM meta
• SHALL
• SUP
• SamAccountName
• SambaLMPassword
• SapAddOnUM
• SchemaFlagsEx
• SearchFlags
• SearchGuide
• SearchResultReference
• SearchSizeLimit
• SearchTimeLimit
• Sec-Token-Binding
• Secure connection
• Security Considerations
• Security Descriptor Description Language
• Security Domain Infrastructure
• SecurityPrincipal
• SeeAlso
• Select_account
• Self-Issued OpenID Provider
• SerialNumber
• ServerHello
• ServerHolds
• ServiceConnectionPoint
• ServiceDNSName
• ShadowAccount
• ShadowExpire
• ShadowFlag
• ShadowInactive
• ShadowMax
• ShadowMin
• ShadowWarning
• Site
• Sketching
• SslEnableMutualAuthentication
• Street
• StringOrURI
• Sub
• Subject Alternative Name
• SubjectKeyIdentifier
• Subschema
• Supported_versions
• SynchronizedUpTo
• System-Id-Guid
• TBSCertificate
• TLS 1.3
• TLS ContentType
• TLS Renegotiation
• TargetDN
• TelephoneNumber
• Thread network layer
• Timezone
• TokenGroups
• Token_type_hint
• TombstoneLifetime
• TransitiveVector
• Triple DES
• TrustedDomain
• UidNumber
• UidObject
• Uma-configuration
• Understanding DIT Content Rules
• UniqueIdentifier
• UniqueMember
• UnixHomeDirectory
• UnknownBaseClass
• Upgraded
• User
• UserInfo Request
• UserInfo Response
• Userinfo_endpoint
• UsnChanged
• VPIMUser
• Victor
• Virtual Authenticator
• WX Entries
• Web host-meta data
• WebAuthn Authenticator Model
• WhenChanged
• X-NDS_NAMING
• X500UniqueIdentifier
• Z-Wave Node ID
• Zigbee
• Zigbee Coordinator
• nrfInheritedRoles
• shadowLastChange