No. It's part of the LDAP query.
In order to avoid external users logging in with names that are valid
LDAP queries, the untrusted user input is escaped before it is passed to
the LDAP module.
Apparently something in the ldap_escape_func is broken when talking to
Microsoft AD. I replaced the code of that function with the much more
lenient code of the 1.0.1 ldap_escape_func, and it works great with MS LDAP
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html