diff --git a/changelogs/unreleased/sanitize_rake_ldap_check_output.yml b/changelogs/unreleased/sanitize_rake_ldap_check_output.yml
new file mode 100644
index 00000000000..92824d1dd48
--- /dev/null
+++ b/changelogs/unreleased/sanitize_rake_ldap_check_output.yml
@@ -0,0 +1,5 @@
+---
+title: Sanitize LDAP output in Rake tasks
+merge_request: 28427
+author:
+type: fixed
diff --git a/lib/system_check/ldap_check.rb b/lib/system_check/ldap_check.rb
index 619fb3cccb8..938026424ed 100644
--- a/lib/system_check/ldap_check.rb
+++ b/lib/system_check/ldap_check.rb
@@ -33,8 +33,13 @@ module SystemCheck
             $stdout.puts "LDAP users with access to your GitLab server (only showing the first #{limit} results)"
 
             users = adapter.users(adapter.config.uid, '*', limit)
-            users.each do |user|
-              $stdout.puts "\tDN: #{user.dn}\t #{adapter.config.uid}: #{user.uid}"
+
+            if should_sanitize?
+              $stdout.puts "\tUser output sanitized. Found #{users.length} users of #{limit} limit."
+            else
+              users.each do |user|
+                $stdout.puts "\tDN: #{user.dn}\t #{adapter.config.uid}: #{user.uid}"
+              end
             end
           end
         rescue Net::LDAP::ConnectionRefusedError, Errno::ECONNREFUSED => e
diff --git a/spec/tasks/gitlab/check_rake_spec.rb b/spec/tasks/gitlab/check_rake_spec.rb
index 06525e3c771..0fcb9b269f3 100644
--- a/spec/tasks/gitlab/check_rake_spec.rb
+++ b/spec/tasks/gitlab/check_rake_spec.rb
@@ -96,6 +96,15 @@ describe 'check.rake' do
 
         subject
       end
+
+      it 'sanitizes output' do
+        user = double(dn: 'uid=fake_user1', uid: 'fake_user1')
+        allow(adapter).to receive(:users).and_return([user])
+        stub_env('SANITIZE', 'true')
+
+        expect { subject }.to output(/User output sanitized/).to_stdout
+        expect { subject }.not_to output('fake_user1').to_stdout
+      end
     end
   end
 end