Directory Authentication Has a Weak Link. We Removed It.
Most Odoo deployments that integrate with corporate directories — OpenLDAP or Active Directory — still rely on the platform's built-in LDAP authentication module. It works, but it was never designed with a hard security posture in mind. Plaintext LDAP, optional encryption, and protocol negotiation that quietly permits TLS 1.0, 1.1, or 1.2 are all common defaults in that stack. For organizations operating under PCI DSS v4.0, ISO 27001, or internal zero-fallback security policy, "optional encryption" is not a control — it's a gap waiting to be flagged in an audit.
LSE Group built Enterprise LDAPS to close that gap permanently. It is now live on the Odoo Apps Store for Odoo 19.
What Enterprise LDAPS Does
Enterprise LDAPS replaces Odoo's native LDAP authentication entirely with a hardened implementation that enforces TLS 1.3, and only TLS 1.3, on every connection to your directory server. There is no fallback path. A connection attempting to negotiate TLS 1.2 or below is refused at the socket level — not logged as a warning and allowed through, refused outright.
The module is built for enterprises running OpenLDAP 2.6+ or Active Directory with LDAPS already enabled on port 636, where directory access needs to satisfy a strict compliance mandate rather than a best-effort one.
Key Capabilities
- Native LDAPS on port 636 — fully replaces plain LDAP rather than layering encryption on top of it
- TLS 1.3 enforced via WolfSSL — no TLS 1.0/1.1/1.2 fallback under any configuration
- Argon2 password hashing for LDAP-authenticated users, protecting credentials with the Password Hashing Competition winner
- OpenLDAP 2.6+ and Active Directory compatibility
- Group-to-role mapping, translating LDAP group membership directly into Odoo internal groups
- OU-based user filtering for precise control over which directory segments can authenticate
- Let's Encrypt certificate support for streamlined certificate management
- Enterprise-grade authentication audit logging
- PCI DSS and ISO 27001 audit-ready configuration
- License enforcement via the LSE License Agent
Why TLS 1.3 Only — No Exceptions
Backward compatibility is usually framed as a convenience. In directory authentication, it's a liability. Every legacy protocol you keep "just in case" is another negotiation path an attacker can force a downgrade toward. Enterprise LDAPS takes the opposite position: if the LDAP server can't negotiate TLS 1.3, the connection doesn't happen. That's a deliberate design choice, not an oversight — it's the same logic that drives the rest of LSE Group's infrastructure stance across our compliance program.
Built on WolfSSL — Not GnuTLS
Enterprise LDAPS uses WolfSSL rather than GnuTLS as its cryptographic backbone. WolfSSL is FIPS 140-3 validated, carries a substantially smaller attack surface than GnuTLS, and is purpose-built for embedded and security-critical environments. It's the TLS library LSE Group standardizes on across PCI DSS Level 1 deployments — this module is no exception.
PCI DSS v4.0 Alignment
Enterprise LDAPS directly addresses two PCI DSS v4.0 requirements that frequently surface in audit findings for organizations using LDAP-integrated business applications:
- Requirement 8.3.2 — strong cryptography for all authentication
- Requirement 2.2.7 — encryption of all non-console administrative access
Audit evidence documenting this alignment is available on request for organizations preparing for assessment.
Requirements
- Odoo 19 Community or Enterprise
- OpenLDAP 2.6+ or Active Directory with port 636 enabled
- A valid TLS certificate on your LDAP server
- python-ldap and argon2-cffi Python packages
- Replaces the built-in auth_ldap module
Availability
Enterprise LDAPS is available now on Odoo.sh, and On-Premise deployments, licensed under OPL-1.
View Enterprise LDAPS on the Odoo Apps Store →
For commercial support, reach our team at support@lumanet.info.