php Active Directory lookup

Question

I am trying to do an ldap authorization and then a secondary check for membership in a group. System is an Ubuntu machine running php 5.3.10 authenticating against a Server2008 R2 Active Directory. I can't seem to get ldap_search() to work. I have pulled the DN from jExplore so I am pretty sure the DN is correct. ldap_bind works (in another function) with the credentials so I am sure the server and the username/password are valid. The error:

PHP Warning:  ldap_search(): Search: Operations error in /var/www/zzz.php on line 28

The code:

$ldap = ldap_connect('ldap://xxx.xxx');

$admins = $auth['admin'];
// User not logged in, user level '0'
if (!isset($user))
{
    return 0;
}

    // DN
    $group_dn = 'CN=IT Employees,OU=groups,OU=users,OU=xxx,DC=xxx,DC=xxx';
    // Filter
    $filter = '(sAMAccountName=' . $user . ')';
    // Attributes
    $attr = array("memberof","givenname");
echo $group_dn.' '.$filter.' '.$attr.'<br />';

    // Check if the user is a member of the Admin Group
    $SubGroups = ldap_search($ldap, $group_dn, $filter, $attr); //Search the admin group for user.

    $debug = ldap_get_entries($ldap, $SubGroups);
    echo $debug['count'];

    if ($debug['count']>>0)
    {
        // Yep, you are set admin. (User level 2)
        echo "Admin Set<br />";
      return 2;
    }
    else
    {
        // Failure. Thou art a normal user. (User level 1)
        echo "Admin Denied<br />";
        return 1;
    }
}

Answer 1

$ldap = ldap_connect('ldap://xxx.xxx');

needed to change to

$ldap = ldap_connect('ldap://xxx.xxx');
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ldap);
$bind= ldap_bind($ldap, 'user','pass');

Answer 2

I think this filter should work:

(&(objectClass=user)(sAMAccountName=yourUserName)
  (memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))

Well I am sure this could be tuned to work for you.

-jim