diff --git a/src/authentic2_idp_oidc/models.py b/src/authentic2_idp_oidc/models.py
index 19ad39adc..0da97aaaa 100644
--- a/src/authentic2_idp_oidc/models.py
+++ b/src/authentic2_idp_oidc/models.py
@@ -244,6 +244,10 @@ class OIDCClient(Service):
                     elif sector_identifier != hostname:
                         raise ValueError('all redirect_uri do not have the same hostname')
         elif self.authorization_mode == self.AUTHORIZATION_MODE_BY_OU:
+            if not self.ou:
+                raise ValidationError(
+                    _('OU-based authorization requires that the client be '
+                      'within an OU.'))
             sector_identifier = self.ou.slug
         else:
             raise NotImplementedError('unknown self.authorization_mode %s' % self.authorization_mode)
diff --git a/tests/test_idp_oidc.py b/tests/test_idp_oidc.py
index f49e7604f..962be9c1f 100644
--- a/tests/test_idp_oidc.py
+++ b/tests/test_idp_oidc.py
@@ -1618,6 +1618,11 @@ def test_oidc_client_clean():
             redirect_uris='https://example.com/ https://example2.com/',
             identifier_policy=OIDCClient.POLICY_PAIRWISE).clean()
 
+    with pytest.raises(ValidationError, match=r'within an OU'):
+        OIDCClient(
+            authorization_mode=OIDCClient.AUTHORIZATION_MODE_BY_OU,
+            ou=None).clean()
+
     OIDCClient(
         redirect_uris='https://example.com/ https://example2.com/',
         sector_identifier_uri='https://example.com/').clean()