Does Odoo support Active Directory authentication?

Yes. Odoo's built-in auth_ldap module supports Microsoft Active Directory, OpenLDAP, FreeIPA, and other LDAP-compatible directories. Install the module, configure the connection, and users can log in with their AD credentials.

Can LDAP auto-create Odoo users?

Yes. Enable the Create User option in the LDAP configuration. On first login, Odoo automatically creates a user record with the name and email from LDAP attributes. The user gets the Default User template's security groups.

What happens if LDAP goes down?

Users who only have LDAP credentials cannot log in. Keep at least one local admin account with a direct Odoo password as a fallback. The auth_ldap module tries local auth first, then falls back to LDAP.

Can I map Active Directory groups to Odoo security groups?

Not out of the box. The default auth_ldap module does not map AD groups. You need a custom module or post-login hook that queries the user's memberOf attribute and assigns corresponding Odoo groups.

Connect LDAP / Active Directory to Odoo: Authentication Guide (2026)

Why LDAP Authentication for Odoo?

Enterprises with Active Directory or LDAP directories want single sign-on across all applications. Without LDAP integration, each Odoo user needs a separate password, IT must manage accounts in two places, and terminated employees retain Odoo access until someone remembers to deactivate them. LDAP integration solves all three: users log into Odoo with their AD credentials, accounts are created automatically, and disabling an AD account immediately blocks Odoo access.

Prerequisites

Odoo 17 or 18 (Community or Enterprise)
LDAP server (Microsoft Active Directory, OpenLDAP, FreeIPA, or similar)
Network connectivity between Odoo server and LDAP server (port 389 or 636 for LDAPS)
LDAP bind account with read access to the user directory
Odoo auth_ldap module (ships with Odoo)

Step 1: Install the LDAP Module

In Odoo, go to Apps
Search for LDAP Authentication (technical name: auth_ldap)
Click Install

Step 2: Configure the LDAP Server Connection

Go to Settings → General Settings → Integrations → LDAP Authentication
Click Add an LDAP Server
Fill in the connection details:

Field	Example Value	Notes
LDAP Server	ldap://ad.company.com	Use ldaps:// for SSL (port 636)
LDAP Server Port	389	636 for LDAPS
LDAP Base DN	DC=company,DC=com	Root of your AD tree
LDAP Bind DN	CN=odoo-svc,OU=Service,DC=company,DC=com	Service account DN
LDAP Bind Password	(service account password)	Stored encrypted in Odoo DB
LDAP Filter	(&(objectClass=user)(sAMAccountName=%s))	%s = login entered by user
Create User	Checked	Auto-creates Odoo user on first login

Step 3: Test the Connection

After saving, click Test Connection
If successful, try logging in with an AD account
The first login creates the Odoo user automatically (if "Create User" is enabled)
Check the new user's record in Settings → Users

Step 4: Configure User Auto-Creation

When LDAP creates a user in Odoo, it maps these fields:

Login: sAMAccountName (or uid for OpenLDAP)
Name: cn (common name) from LDAP
Email: mail attribute from LDAP

New LDAP users get the default internal user template. To customize default groups, modify the Default User Template in Settings → Users → Default User.

Step 5: Map AD Groups to Odoo Groups (Advanced)

By default, LDAP-created users get the same default groups. For automatic group assignment based on AD group membership, you need a custom module or post-login hook:

# Pseudocode for AD group → Odoo group mapping
# Run after successful LDAP authentication

ad_groups = ldap_query(user_dn, 'memberOf')

mapping = {
    'CN=Sales,OU=Groups,DC=company,DC=com': 'Sales / User',
    'CN=Accounting,OU=Groups,DC=company,DC=com': 'Invoicing / Billing',
    'CN=HR,OU=Groups,DC=company,DC=com': 'HR / Officer',
    'CN=IT,OU=Groups,DC=company,DC=com': 'Administration / Settings',
}

for ad_group in ad_groups:
    if ad_group in mapping:
        odoo_group = env.ref(mapping[ad_group])
        user.groups_id |= odoo_group

Step 6: Enforce LDAP-Only Login (Optional)

To prevent users from logging in with local Odoo passwords after LDAP is set up:

Remove the password for LDAP users (set password hash to null)
The auth_ldap module automatically falls through to LDAP when local auth fails
Keep at least one local admin account as a fallback in case LDAP goes down

LDAPS (LDAP over SSL) Configuration

For production, always use LDAPS to encrypt credentials in transit:

Use ldaps://ad.company.com:636 as the server URL
If using a self-signed certificate, add the CA certificate to the Odoo server's trust store: /etc/ssl/certs/
Set the environment variable LDAPTLS_CACERT=/path/to/ca.crt for the Odoo process

Troubleshooting

Connection Refused

Verify network connectivity: telnet ad.company.com 389. Check firewalls between the Odoo server and LDAP server. If using Docker, ensure the container can reach the AD server (may need host networking or DNS configuration).

Bind Failed

The bind DN must be the full distinguished name, not just the username. For AD: CN=odoo-svc,OU=Service Accounts,DC=company,DC=com. Test the bind with ldapsearch from the Odoo server command line.

Users Not Found

Check the LDAP filter. For Active Directory, use sAMAccountName. For OpenLDAP, use uid. The %s placeholder must be present — it is replaced with the login the user types. Test your filter with ldapsearch -b "DC=company,DC=com" "(&(objectClass=user)(sAMAccountName=testuser))"

User Created But Cannot Access Anything

LDAP-created users get the Default User template groups. If this template has no groups, the user sees a blank Odoo. Update the Default User template or implement AD group mapping.

DeployMonkey LDAP Support

DeployMonkey instances can connect to your corporate LDAP or Active Directory for centralized authentication. Our AI agent can help configure the connection, test filters, and set up group mapping — eliminating the trial-and-error typically involved in LDAP configuration.

How to Connect LDAP / Active Directory to Odoo for Authentication