diff -u sssd-1.15.0/debian/changelog sssd-1.15.0/debian/changelog
--- sssd-1.15.0/debian/changelog
+++ sssd-1.15.0/debian/changelog
@@ -1,3 +1,10 @@
+sssd (1.15.0-3ubuntu5) zesty; urgency=medium
+
+  * d/p/sanitize_newline.diff: Sanitize newline and carriage return
+    characters before LDAP queries. (LP: #1669712)
+
+ -- Victor Tapia <victor.tapia@canonical.com>  Fri, 10 Mar 2017 14:02:53 +0100
+
 sssd (1.15.0-3ubuntu4) zesty; urgency=medium
 
   * Rebuild against new samba/libldb. (LP: #1664785)
diff -u sssd-1.15.0/debian/patches/series sssd-1.15.0/debian/patches/series
--- sssd-1.15.0/debian/patches/series
+++ sssd-1.15.0/debian/patches/series
@@ -2,0 +3 @@
+sanitize_newline.diff
only in patch2:
unchanged:
--- sssd-1.15.0.orig/debian/patches/sanitize_newline.diff
+++ sssd-1.15.0/debian/patches/sanitize_newline.diff
@@ -0,0 +1,30 @@
+Description: Sanitize newline and return carriage characters
+ Introducing valid usernames with trailing newline or return carriage
+ characters triggers the removal of valid LDB cache entries. This patch
+ sanitizes these characters in order to fix the LDAP query, addressing
+ the issue.
+
+Author: Victor Tapia <victor.tapia@canonical.com>
+Bug: https://pagure.io/SSSD/sssd/issue/3317
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1669712
+Last-Update: 2017-03-10
+
+--- a/src/util/util.c
++++ b/src/util/util.c
+@@ -589,6 +589,16 @@
+             output[j++] = '5';
+             output[j++] = 'c';
+             break;
++        case '\r':
++            output[j++] = '\\';
++            output[j++] = '0';
++            output[j++] = 'd';
++            break;
++        case '\n':
++            output[j++] = '\\';
++            output[j++] = '0';
++            output[j++] = 'a';
++            break;
+         default:
+             output[j++] = input[i];
+         }