LDAP DN search memberof

Currently I'm trying to determine if a user should be able to login using LDAP. I've read up on many LDAP connections written in PHP and so far things were on track until I wanted to search if a user was part of a certain group.

Details I currently have to connecto to the LDAP server:

DN: CN=PAY LDAP user,OU=pay,OU=Applications,OU=IT Specials,DC=domain,DC=be
SAM: admin
PWD: password
Search DN ADM: OU=OU GROUP,OU=AD,DC=domain,DC=be
LDAP / GC server: knt-adm-dc1.domain.be, knt-adm-dc2.domain.be

This code though doesn't return me any results:

if($bind = ldap_bind($ldap, $username, $password)) {
    $filter = "(samaccountname=".$user.")";
    $attr = array("memberof");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
    $entries = ldap_get_entries($ldap, $result);
    ldap_unbind($ldap);
}

When I leave out the $attr from the search I do get a result though I can't seem to find a way to determine of this user is part of the ADMIN group.

From what I could read online the memberof attribute should be used to find if a user is part of a group though.

A couple things:

If a user is not a member of any groups, the memberOf attribute will not exist.
Builtin groups do not show up in the memberOf attribute.

A more failure-proof method is to use a somewhat obscure LDAP filter to search your group, and any nested groups, for a user: the LDAP_MATCHING_RULE_IN_CHAIN rule. Details here.

In PHP, it would look something like this (untested):

$filter = "(member:1.2.840.113556.1.4.1941:=".$user_distinguished_name.")";
$ldap_dn = "LDAP://".$group_distinguished_name;
$attr = array("cn");
$result = ldap_list($ldap, $ldap_dn, $filter, $attr);

Where $user_distinguished_name is the distinguished name of the user, and $group_distinguished_name is the DN of the group. You may have to get those beforehand.

Note I'm put ldap_list instead of ldap_search. The only difference between the two is the scope of the search. I think ldap_search might still work, but it's not needed.