diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c
index be61e049c2..f71207ce5a 100644
--- a/src/auth/db-ldap.c
+++ b/src/auth/db-ldap.c
@@ -304,7 +304,6 @@ static int db_ldap_request_bind(struct ldap_connection *conn,
 	i_assert(conn->conn_state == LDAP_CONN_STATE_BOUND_AUTH ||
 		 conn->conn_state == LDAP_CONN_STATE_BOUND_DEFAULT);
 	i_assert(conn->pending_count == 0);
-
 	request->msgid = ldap_bind(conn->ld, brequest->dn,
 				   request->auth_request->mech_password,
 				   LDAP_AUTH_SIMPLE);
@@ -1435,6 +1434,35 @@ db_ldap_value_get_var_expand_table(struct auth_request *auth_request,
 	return table;
 }
 
+/* rfc2253 escaping */
+#define IS_LDAPDN_ESCAPED_CHAR(c) \
+	((c) == '"' || (c) == '+' || (c) == ',' || (c) == '\\' || (c) == '<' || (c) == '>' || (c) == ';')
+
+const char *ldapdn_escape(const char *str,
+			const struct auth_request *auth_request ATTR_UNUSED)
+{
+	const char *p;
+	string_t *ret;
+
+	for (p = str; *p != '\0'; p++) {
+		if (IS_LDAPDN_ESCAPED_CHAR(*p))
+			break;
+	}
+
+	if (*p == '\0')
+		return str;
+
+	ret = t_str_new((size_t) (p - str) + 64);
+	str_append_n(ret, str, (size_t) (p - str));
+
+	for (; *p != '\0'; p++) {
+		if (IS_LDAPDN_ESCAPED_CHAR(*p))
+			str_append_c(ret, '\\');
+		str_append_c(ret, *p);
+	}
+	return str_c(ret);
+}
+
 #define IS_LDAP_ESCAPED_CHAR(c) \
 	((c) == '*' || (c) == '(' || (c) == ')' || (c) == '\\')
 
diff --git a/src/auth/db-ldap.h b/src/auth/db-ldap.h
index 53b2e5cb52..4768b126b5 100644
--- a/src/auth/db-ldap.h
+++ b/src/auth/db-ldap.h
@@ -199,6 +199,8 @@ void db_ldap_enable_input(struct ldap_connection *conn, bool enable);
 
 const char *ldap_escape(const char *str,
 			const struct auth_request *auth_request);
+const char *ldapdn_escape(const char *str,
+			const struct auth_request *auth_request);
 const char *ldap_get_error(struct ldap_connection *conn);
 
 struct db_ldap_result_iterate_context *
diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c
index 2f876df87e..404725c7c2 100644
--- a/src/auth/passdb-ldap.c
+++ b/src/auth/passdb-ldap.c
@@ -198,9 +198,8 @@ static void ldap_auth_bind(struct ldap_connection *conn,
 				     auth_request);
 		return;
 	}
-
-	brequest->request.callback = ldap_auth_bind_callback;
-	db_ldap_request(conn, &brequest->request);
+        brequest->request.callback = ldap_auth_bind_callback;
+        db_ldap_request(conn, &brequest->request);
 }
 
 static void
@@ -363,7 +362,7 @@ ldap_verify_plain_auth_bind_userdn(struct auth_request *auth_request,
 	brequest->request.type = LDAP_REQUEST_TYPE_BIND;
 
 	dn = t_str_new(512);
-	auth_request_var_expand(dn, conn->set.auth_bind_userdn, auth_request, ldap_escape);
+	auth_request_var_expand(dn, conn->set.auth_bind_userdn, auth_request, ldapdn_escape);
 
 	brequest->dn = p_strdup(auth_request->pool, str_c(dn));
         ldap_auth_bind(conn, brequest);