diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index b7340b041bdd71ae6b3f8f371fec29bc3a2c504a..8c9db1bd1fb8a73bfcea282291c92c60bf294d2d 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -16,6 +16,7 @@
 #define _LDAP_PVT_H 1
 
 #include <ldap_cdefs.h>
+#include <lber.h>				/* get ber_slen_t */
 
 LDAP_BEGIN_DECL
 
@@ -98,6 +99,13 @@ int ldap_pvt_unhex( int c );
 
 #define LDAP_NEEDSESCAPE(c)	((c) == '\\' || (c) == '"')
 
+/* search.c */
+LDAP_F( char * )
+ldap_pvt_find_wildcard LDAP_P((	char *s ));
+
+LDAP_F( ber_slen_t )
+ldap_pvt_filter_value_unescape LDAP_P(( char *filter ));
+
 /* string.c */
 LDAP_F( char * )
 ldap_pvt_str2upper LDAP_P(( char *str ));
diff --git a/libraries/libldap/search.c b/libraries/libldap/search.c
index bb9f1c28f86ad0d45294e377392459fa7d682a6b..84228997741a983e55640fc2556a5509302f3c39 100644
--- a/libraries/libldap/search.c
+++ b/libraries/libldap/search.c
@@ -31,15 +31,9 @@ static int ldap_is_attr_desc LDAP_P((
 static int hex2value LDAP_P((
 	int c ));
 
-static ber_slen_t filter_value_unescape LDAP_P((
-	char *filter ));
-
 static char *find_right_paren LDAP_P((
 	char *s ));
 
-static char *find_wildcard LDAP_P((
-	char *s ));
-
 static char *put_complex_filter LDAP_P((
 	BerElement *ber,
 	char *str,
@@ -416,8 +410,8 @@ static int hex2value( int c )
 	return -1;
 }
 
-static char *
-find_wildcard( char *s )
+char *
+ldap_pvt_find_wildcard( char *s )
 {
 	for( ; *s != '\0' ; s++ ) {
 		switch( *s ) {
@@ -428,10 +422,6 @@ find_wildcard( char *s )
 			s++; /* skip over escape */
 			if ( *s == '\0' )
 				return NULL;	/* escape at end of string */
-			if( hex2value( s[0] ) >= 0 && hex2value( s[1] ) >= 0 ) {
-				/* skip over lead digit of two hex digit code */
-				s++;
-			}
 		}
 	}
 
@@ -441,8 +431,8 @@ find_wildcard( char *s )
 /* unescape filter value */
 /* support both LDAP v2 and v3 escapes */
 /* output can include nul characters */
-static ber_slen_t
-filter_value_unescape( char *fval )
+ber_slen_t
+ldap_pvt_filter_value_unescape( char *fval )
 {
 	ber_slen_t r, v;
 	int v1, v2;
@@ -805,7 +795,7 @@ put_simple_filter(
 			}
 
 			if( rc != -1 ) {
-				ber_slen_t len = filter_value_unescape( value );
+				ber_slen_t len = ldap_pvt_filter_value_unescape( value );
 
 				if( len >= 0 ) {
 					rc = ber_printf( ber, "totb}",
@@ -819,7 +809,7 @@ put_simple_filter(
 		break;
 
 	default:
-		if ( find_wildcard( value ) == NULL ) {
+		if ( ldap_pvt_find_wildcard( value ) == NULL ) {
 			ftype = LDAP_FILTER_EQUALITY;
 		} else if ( strcmp( value, "*" ) == 0 ) {
 			ftype = LDAP_FILTER_PRESENT;
@@ -834,7 +824,7 @@ put_simple_filter(
 		rc = ber_printf( ber, "ts", ftype, str );
 
 	} else {
-		ber_slen_t len = filter_value_unescape( value );
+		ber_slen_t len = ldap_pvt_filter_value_unescape( value );
 
 		if( len >= 0 ) {
 			rc = ber_printf( ber, "t{so}",
@@ -862,7 +852,7 @@ put_substring_filter( BerElement *ber, char *type, char *val )
 		return( -1 );
 
 	for( ; val != NULL; val=nextstar ) {
-		if ( (nextstar = find_wildcard( val )) != NULL )
+		if ( (nextstar = ldap_pvt_find_wildcard( val )) != NULL )
 			*nextstar++ = '\0';
 
 		if ( gotstar == 0 ) {
@@ -874,7 +864,7 @@ put_substring_filter( BerElement *ber, char *type, char *val )
 		}
 
 		if ( *val != '\0' ) {
-			ber_slen_t len = filter_value_unescape( val );
+			ber_slen_t len = ldap_pvt_filter_value_unescape( val );
 
 			if ( len < 0  ) {
 				return -1;
diff --git a/servers/slapd/str2filter.c b/servers/slapd/str2filter.c
index 3c1a3e78fe67a106853f2cd727f24e86a598a15e..f3f2458668f19443f38de061882789f093b91066 100644
--- a/servers/slapd/str2filter.c
+++ b/servers/slapd/str2filter.c
@@ -13,6 +13,7 @@
 #include <ac/socket.h>
 
 #include "slap.h"
+#include <ldap_pvt.h>
 
 static char	*find_matching_paren(char *s);
 static Filter	*str2list(char *str, long unsigned int ftype);
@@ -23,7 +24,7 @@ Filter *
 str2filter( char *str )
 {
 	Filter	*f = NULL;
-	char	*end;
+	char	*end, *freeme;
 
 	Debug( LDAP_DEBUG_FILTER, "str2filter \"%s\"\n", str, 0, 0 );
 
@@ -31,10 +32,13 @@ str2filter( char *str )
 		return( NULL );
 	}
 
+	str = freeme = ch_strdup( str );
+
 	switch ( *str ) {
 	case '(':
 		if ( (end = find_matching_paren( str )) == NULL ) {
 			filter_free( f );
+			free( freeme );
 			return( NULL );
 		}
 		*end = '\0';
@@ -83,6 +87,7 @@ str2filter( char *str )
 		break;
 	}
 
+	free( freeme );
 	return( f );
 }
 
@@ -165,7 +170,7 @@ str2simple( char *str )
 		*s = '\0';
 		break;
 	default:
-		if ( strchr( value, '*' ) == NULL ) {
+		if ( ldap_pvt_find_wildcard( value ) == NULL ) {
 			f->f_choice = LDAP_FILTER_EQUALITY;
 		} else if ( strcmp( value, "*" ) == 0 ) {
 			f->f_choice = LDAP_FILTER_PRESENT;
@@ -188,6 +193,7 @@ str2simple( char *str )
 	} else {
 		f->f_avtype = ch_strdup( str );
 		f->f_avvalue.bv_val = ch_strdup( value );
+		ldap_pvt_filter_value_unescape( f->f_avvalue.bv_val );
 		f->f_avvalue.bv_len = strlen( value );
 	}
 
@@ -199,30 +205,31 @@ str2simple( char *str )
 static int
 str2subvals( char *val, Filter *f )
 {
-	char	*nextstar;
+	char	*nextstar, *freeme;
 	int	gotstar;
 
 	Debug( LDAP_DEBUG_FILTER, "str2subvals \"%s\"\n", val, 0, 0 );
 
+	val = freeme = ch_strdup( val );
 	gotstar = 0;
 	while ( val != NULL && *val ) {
-		if ( (nextstar = strchr( val, '*' )) != NULL )
+		if ( (nextstar = ldap_pvt_find_wildcard( val )) != NULL )
 			*nextstar++ = '\0';
 
+		ldap_pvt_filter_value_unescape( val );
 		if ( gotstar == 0 ) {
 			f->f_sub_initial = ch_strdup( val );
 		} else if ( nextstar == NULL ) {
 			f->f_sub_final = ch_strdup( val );
 		} else {
-			charray_add( &f->f_sub_any, ch_strdup( val ) );
+			charray_add( &f->f_sub_any, val );
 		}
 
 		gotstar = 1;
-		if ( nextstar != NULL )
-			*(nextstar-1) = '*';
 		val = nextstar;
 	}
 
+	free( freeme );
 	return( 0 );
 }