I'm trying to secure a login endpoint by attempting to bypass the login that uses LDAP.
It employs a search query of "cn=" + username + ", dc=example, dc=com" with a filter of "(objectClass=*)".
Is an LDAP injection attack possible here with username? Obviously, I will eventually escape all the queries and filters.
LDAP injection attacks can't do anything useful.
In your case, you're injecting the user input into the base DN (also called "search root") of the search. The base DN must be a valid DN (distinguished name). Any attempt at injecting some clever value there will likely result in something that is not a valid DN, and the search will fail (or return nothing). Even if it did result in a valid DN, I assume you are still asking for the user's password, so they'd have to know the password for that account.
But if you want to prevent that, just replace , in the input to \,. That's likely something you should do anyway, since if the account has a comma in the name, it will be escaped like that in the DN. This is an odd way of doing it though. Usually the base DN would always be the same and you would use the search filter to find the right account (i.e. (&(objectClass=user)(cn={whatever})))
If you are injecting user input into the search filter, the end user could change the query, but there is still nothing useful that can be done since the query can only read values. (although you can still protect against that if you want by escaping ( and ) with \28 and \29)
LDAP queries are not like SQL, where an injection attack can end the SELECT statement and begin another statement.