diff --git a/keystone/identity/backends/ldap.py b/keystone/identity/backends/ldap.py
index 7dcbf60019..80e3e82ff1 100644
--- a/keystone/identity/backends/ldap.py
+++ b/keystone/identity/backends/ldap.py
@@ -15,6 +15,7 @@ from __future__ import absolute_import
 import uuid
 
 import ldap
+import ldap.filter
 
 from keystone import clean
 from keystone.common import dependency
@@ -328,9 +329,10 @@ class GroupApi(common_ldap.BaseLdap):
     def list_user_groups(self, user_dn):
         """Return a list of groups for which the user is a member."""
 
+        user_dn_esc = ldap.filter.escape_filter_chars(user_dn)
         query = '(&(objectClass=%s)(%s=%s)%s)' % (self.object_class,
                                                   self.member_attribute,
-                                                  user_dn,
+                                                  user_dn_esc,
                                                   self.ldap_filter or '')
         memberships = self.get_all(query)
         return memberships