diff --git a/internal/ldapauth/client.go b/internal/ldapauth/client.go
index dc4df5f..1174fc1 100644
--- a/internal/ldapauth/client.go
+++ b/internal/ldapauth/client.go
@@ -204,8 +204,12 @@ func FetchUsers(cfg Config) ([]LDAPUser, error) {
 	if filter == "" {
 		filter = "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))"
 	} else {
-		// If the UserFilter is a login filter like (uid=%s), make it a wildcard search.
+		// Convert login filter (e.g. uid=%s or (uid=%s)) to a wildcard search.
 		filter = strings.ReplaceAll(filter, "%s", "*")
+		// Wrap in parentheses if missing — e.g. "uid=*" → "(uid=*)"
+		if !strings.HasPrefix(filter, "(") {
+			filter = "(" + filter + ")"
+		}
 	}
 
 	req := ldapv3.NewSearchRequest(