diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py
index 10a577de0a..fc900516c9 100644
--- a/keystone/common/ldap/core.py
+++ b/keystone/common/ldap/core.py
@@ -1826,7 +1826,8 @@ class EnabledEmuMixIn(BaseLdap):
 
     def _get_enabled(self, object_id, conn):
         dn = self._id_to_dn(object_id)
-        query = '(%s=%s)' % (self.member_attribute, dn)
+        query = '(%s=%s)' % (self.member_attribute,
+                             ldap.filter.escape_filter_chars(dn))
         try:
             enabled_value = conn.search_s(self.enabled_emulation_dn,
                                           ldap.SCOPE_BASE,
diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py
index c98537e8ea..40da381cd5 100644
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@@ -2253,17 +2253,17 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
 
         # ) is a special char in a filter and must be escaped.
         sample_dn = 'cn=foo)bar'
+        # LDAP requires ) is escaped by being replaced with "\29"
+        sample_dn_filter_esc = r'cn=foo\29bar'
 
         # Override the tree_dn, it's used to build the enabled member filter
         mixin_impl.tree_dn = sample_dn
 
         # The filter that _get_enabled is going to build contains the
         # tree_dn, which better be escaped in this case.
-        # Note that the tree_dn isn't escaped and will lead to an invalid
-        # filter! See bug 1532345.
         exp_filter = '(%s=%s=%s,%s)' % (
             mixin_impl.member_attribute, mixin_impl.id_attr, object_id,
-            sample_dn)
+            sample_dn_filter_esc)
 
         with mixin_impl.get_connection() as conn:
             m = self.useFixture(mockpatch.PatchObject(conn, 'search_s')).mock