From 33038b9f861e7ea5cf4a15615737cf546dc72027 Mon Sep 17 00:00:00 2001
From: Michal Galet <mgalet@netsuite.com>
Date: Thu, 7 May 2015 22:35:40 +0200
Subject: [PATCH] LDAP auth: Escape filter value for group membership search

The result from a user search need to be escaped when put to the group membership search. Otherwise the search will result with:

[ERROR   ] Exception thrown while retrieving group membership in AD: {'desc': 'Bad search filter'}
---
 salt/auth/ldap.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/auth/ldap.py b/salt/auth/ldap.py
index 93bdff1164..5014c0471d 100644
--- a/salt/auth/ldap.py
+++ b/salt/auth/ldap.py
@@ -269,8 +269,9 @@ def groups(username, **kwargs):
                 log.error('Could not get distinguished name for user {0}'.format(username))
                 return group_list
             # LDAP results are always tuples.  First entry in the tuple is the DN
-            dn = user_dn_results[0][0]
+            dn = ldap.filter.escape_filter_chars(user_dn_results[0][0])
             ldap_search_string = '(&(member={0})(objectClass={1}))'.format(dn, _config('groupclass'))
+            log.debug('Running LDAP group membership search: {0}'.format(ldap_search_string))
             try:
                 search_results = bind.search_s(_config('basedn'),
                                                ldap.SCOPE_SUBTREE,