diff --git a/src/api.rs b/src/api.rs
index 1f72074..d9c7148 100644
--- a/src/api.rs
+++ b/src/api.rs
@@ -15,7 +15,7 @@
 // You should have received a copy of the GNU General Affero Public License
 // along with the WebLDAPPasswd. If not, see <https://www.gnu.org/licenses/>.
 use handlebars::Handlebars;
-use ldap3::LdapConn;
+use ldap3::{ldap_escape, LdapConn};
 use ldap3::exop::PasswordModify;
 use ldap3::result::{LdapError, Result};
 use rocket_contrib::json::Json;
@@ -49,7 +49,8 @@ fn change_password(data: &Json<PasswordData>,
                    context: &rocket::State<Context>) -> Result<()> {
 
     let dn = Handlebars::new()
-        .render_template(&context.dn, &json!({"username" : &data.username}))
+        .render_template(&context.dn,
+                         &json!({"username" : ldap_escape(&data.username)}))
         .expect("Unexpected DN template error. Was tested in config.rs");
 
     let mut ldap = LdapConn::new(&context.ldap_url)?;