diff --git a/src/metabase/integrations/ldap.clj b/src/metabase/integrations/ldap.clj
index b3987b00f867468275977b9f96130f15efa2320d..40bd54bde0621e7619c2de89dcda2f7dc7b5c23e 100644
--- a/src/metabase/integrations/ldap.clj
+++ b/src/metabase/integrations/ldap.clj
@@ -98,7 +98,7 @@
 (defn- escape-value
   "Escapes a value for use in an LDAP filter expression."
   [value]
-  (str/replace value #"[\*\(\)\\\\0]" (comp (partial format "\\%02X") int first)))
+  (str/replace value #"(?:^\s|\s$|[,\\\#\+<>;\"=\*\(\)\\0])" (comp (partial format "\\%02X") int first)))
 
 (defn- get-connection
   "Connects to LDAP with the currently set settings and returns the connection."
diff --git a/test/metabase/integrations/ldap_test.clj b/test/metabase/integrations/ldap_test.clj
index 859dad02e43dfdf0602de86ae6fd5bdd12ec8bee..d0853c0b058aa76d5073f49fc24f72c7cecf2ab6 100644
--- a/test/metabase/integrations/ldap_test.clj
+++ b/test/metabase/integrations/ldap_test.clj
@@ -15,8 +15,12 @@
 ;; See test_resources/ldap.ldif for fixtures
 
 (expect
-  "\\2AJohn \\28Dude\\29 Doe\\5C"
-  (#'ldap/escape-value "*John (Dude) Doe\\"))
+  "\\20\\2AJohn \\28Dude\\29 Doe\\5C"
+  (#'ldap/escape-value " *John (Dude) Doe\\"))
+
+(expect
+  "John\\2BSmith@metabase.com"
+  (#'ldap/escape-value "John+Smith@metabase.com"))
 
 ;; The connection test should pass with valid settings
 (expect-with-ldap-server