diff --git a/app/models/auth_source_ldap.rb b/app/models/auth_source_ldap.rb
index df46ed085..576828470 100644
--- a/app/models/auth_source_ldap.rb
+++ b/app/models/auth_source_ldap.rb
@@ -228,7 +228,7 @@ class AuthSourceLdap < AuthSource
       ldap_con = initialize_ldap_con(self.account, self.account_password)
     end
     attrs = {}
-    search_filter = base_filter & Net::LDAP::Filter.eq(self.attr_login, login)
+    search_filter = base_filter & Net::LDAP::Filter.equals(self.attr_login, login)
     ldap_con.search(:base => self.base_dn,
                      :filter => search_filter,
                      :attributes=> search_attributes) do |entry|
diff --git a/test/unit/auth_source_ldap_test.rb b/test/unit/auth_source_ldap_test.rb
index a3a257b67..012ecd905 100644
--- a/test/unit/auth_source_ldap_test.rb
+++ b/test/unit/auth_source_ldap_test.rb
@@ -161,6 +161,13 @@ class AuthSourceLdapTest < ActiveSupport::TestCase
       assert_nil auth.authenticate('edavis', '123456')
     end
 
+    test '#authenticate with special characters in login should not allow filter manipulation' do
+      auth = AuthSourceLdap.find(1)
+
+      result = auth.authenticate("*", "123456")
+      assert_nil result
+    end
+
     def test_authenticate_should_timeout
       auth_source = AuthSourceLdap.find(1)
       auth_source.timeout = 1