diff --git a/lib/SimpleSAML/Auth/LDAP.php b/lib/SimpleSAML/Auth/LDAP.php
index e16c48887382fce6d25f2139e78f999eae45cf2e..e0c2380cf75f59a33ce6e6642fd820630fc3b5da 100644
--- a/lib/SimpleSAML/Auth/LDAP.php
+++ b/lib/SimpleSAML/Auth/LDAP.php
@@ -53,10 +53,8 @@ class SimpleSAML_Auth_LDAP
      * @param int $port
      * @param bool $referrals
      */
-    // TODO: Flesh out documentation
     public function __construct($hostname, $enable_tls = true, $debug = false, $timeout = 0, $port = 389, $referrals = true)
     {
-
         // Debug
         SimpleSAML\Logger::debug('Library - LDAP __construct(): Setup LDAP with ' .
                         'host=\'' . $hostname .
@@ -207,8 +205,7 @@ class SimpleSAML_Auth_LDAP
     {
         // Create the search filter
         $attribute = self::escape_filter_value($attribute, false);
-        $value = \SimpleSAML\Utils\Arrays::Arrayize($value);
-        $value = self::escape_filter_value($value);
+        $value = self::escape_filter_value($value, true);
         $filter = '';
         foreach ($attribute as $attr) {
             $filter .= '(' . $attr . '=' . $value. ')';
@@ -222,8 +219,7 @@ class SimpleSAML_Auth_LDAP
 
         // Search using generated filter
         SimpleSAML\Logger::debug('Library - LDAP search(): Searching base \'' . $base . '\' for \'' . $filter . '\'');
-        // TODO: Should aliases be dereferenced?
-        $result = @ldap_search($this->ldap, $base, $filter, array(), 0, 0, $this->timeout);
+        $result = @ldap_search($this->ldap, $base, $filter, array(), 0, 0, $this->timeout, LDAP_DEREF_NEVER);
         if ($result === false) {
             throw $this->makeException('Library - LDAP search(): Failed search on base \'' . $base . '\' for \'' . $filter . '\'');
         }
@@ -250,7 +246,6 @@ class SimpleSAML_Auth_LDAP
         if ($dn === false) {
             throw $this->makeException('Library - LDAP search(): Unable to get DN after searching base \'' . $base . '\' for \'' . $filter . '\'');
         }
-        // FIXME: Are we now sure, if no excepton has been thrown, that we are returning a DN?
         return $dn;
     }
 
@@ -598,7 +593,6 @@ class SimpleSAML_Auth_LDAP
      * @param string $password
      * @return array|bool
      */
-    // TODO: Documentation; only cleared up exception/log messages
     public function validate($config, $username, $password = null)
     {
         /* Escape any characters with a special meaning in LDAP. The following
@@ -644,15 +638,13 @@ class SimpleSAML_Auth_LDAP
      * backslash followed by two hex digits representing the hexadecimal value of the character.
      *
      * @static
-     * @param array $values Array of values to escape
+     * @param string|array $values Array of values to escape
      * @return array Array $values, but escaped
      */
     public static function escape_filter_value($values = array(), $singleValue = true)
     {
         // Parameter validation
-        if (!is_array($values)) {
-            $values = array($values);
-        }
+        $values = \SimpleSAML\Utils\Arrays::arrayize($values);
 
         foreach ($values as $key => $val) {
             // Escaping of filter meta characters