The following code is taken from one of my projects and returns a list of group names the user is a member of, including recursion. You should be able to use that to check for what you want:
$ldapConnection = ldap_connect($ldapServerAddress, $ldapServerPort);
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);
// Do something to handle connection failure here, this is just what I did.
if ($ldapConnection === false) throw new ActiveDirectoryConnectionException();
$ldapBind = ldap_bind($ldapConnection, $ldapUsername, $dapPassword);
// Do something to handle binding failure here, this is just what I did.
if ($ldapBind === false) throw new ActiveDirectoryAuthenticationException();
$result = ldap_search($ldapConnection, $ldapSearchRoot, "(member:1.2.840.113556.1.4.1941:=" . $userDN . ")", array("sAMAccountName", "dn"));
// Do something to handle query failure here, this is just what I did.
if ($result === false) throw new ActiveDirectorySearchException(ldap_error($ldapConnection), ldap_errno($ldapConnection));
$groups = ldap_get_entries($ldapConnection, $result);
$groupNames = array();
for ($i = 0; $i < $groups['count']; $i++)
{
$groupNames[] = $groups[$i]['samaccountname'][0];
}
return $groupNames;