Restricted distribution and LDAP integration: Reference implementation

This article provides a reference implementation for integrating Adobe Digital Publishing Suite's restricted distribution capability and LDAP. Restricted distribution is essentially entitlement with the publisher's server determining which individual or group is entitled to a folio. In this implementation, our users and groups are coming from LDAP. In the example below, the groups include human resources, finance, sales, engineering and marketing. Your groups will differ depending on your LDAP installation.

The reference implementation makes use of HTML, JavaScript, ExtJS, PHP, MySQL and LDAP. Integrating with LDAP allows a publisher to leverage their existing infrastructure by allowing users to login with their LDAP credentials and become entitled on an individual basis and/or a group basis. Folio entitlement data is stored in MySQL while user and group info is stored in LDAP. In this implementation, an admin tool has been created using Sencha ExtJS, that allows publishers to manage folio entitlements at the user or group level. The admin tool uses PHP to connect to MySQL and LDAP. Once folios have been entitled from the admin tool, users can open their associated viewer, login with their LDAP credentials from the entitlement banner and view the folios to which they are entitled.

The admin tool is used to entitle users and groups. Figures 3-11 show the views of the admin.

The viewer app allows a user to login through the entitlement banner. Figures 12-13 show the viewer using restricted distribution.

In order to make use of this reference implementation you will need the following:

1. Folios which are published as public retail. Since your viewer will be using restricted distribution you will not have to create product Ids in iTunesConnect.
2. Access to create a database and tables in MySQL.
3. Read access to LDAP. The example in this articles uses an OpenLDAP (www.openldap.org) implementation. It is expected that you may need to make changes to access another providers LDAP implementation.
4. A web server (Apache) with PHP.

File Structure

If you unzip the restricted_distribution.zip file, you will see the file structure displayed in Figure 12.

The following are descriptions of the top level files and folders.

• database.sql – used to create the database and tables
• site – contains the files that will be hosted on your web server
• site/app – contains the JavaScript files for the admin
• site/app.js - the main application file for the admin
• site/banner – contains the files to display the entitlement banner in the viewer
• site/extjs – contains files for Sencha ExtJS. For the purposes of this example, only the styles and ext-all.js are included and not the source files.
• site/.htaccess – the file used to redirect http requests for index.html to https. Since the admin tool uses LDAP usernames and passwords, this file redirects users to always use https. Since this is a hidden file it might not be visible to you. Depending on your FTP client, it will most likely be visible from there. Important, if you do not have SSL enabled on your webserver, you should not upload this file to your server.
• site/images – contains images used in the admin
• site/index.html – the html page for the admin
• site/resources – contains the php files used for the admin, entitlement banner and required entitlement APIs for the viewer. The entitlement APIs are in site/resources/api. Included in the api folder is another .htaccess that redirects entitlement requests to their equivalent PHP page. This is because the entitlement API does not use file extensions.
• site/styles.css – the styles for the admin

Modifying the example for your use

To make use of the example files with your own content, you will have to complete the following steps.

1. Run database.sql to create the database and tables.
2. Modify site/resources/database_connection.php so it is pointing at your webserver.
3. Modify site/resources/ldap_connection.php so it is pointing at your LDAP server.
4. Modify site/resources/admin/fulfillment_proxy.php so it is pointing at your account.
5. Deploy the files to your webserver.
6. Entitle users and groups to folios.
7. Create a viewer.
8. Test entitlement in the viewer.

The following sections explain these steps in more detail.

1. Run database.sql to create the database and tables.

Connect to your MySQL database and run database.sql. Alternatively you can use Sequel Pro which provides a user interface for connecting and modifying your database. Using Sequel Pro, once connected to your database you can select File > Import… and navigate to database.sql. This SQL script creates the empty tables and adds a default user for the admin with username=admin and password=admin. If you used Sequel Pro to import the database, you should see the following tables.

1. Modify site/resources/database_connection.php so it is pointing at your webserver

On line 3, change $dbHost so it is pointing at the URL to your MySQL installation.

On line 6, change $dbUser so it matches the user name for your database.

On line 9, change $dbPassword so it matches the password for your database.

If you changed the database name, on line 12, change $dbName so it matches your database name.

2. Modify site/resources/ldap_connection.php so it is pointing at your LDAP server

On line 3, change $ldapHost so it is pointing at the URL to your LDAP installation.

On line 6, change $ldapPort so it matches the port of your LDAP installation.

On line 8, change $baseDn so it matches your base distinguished name.

On line 11, change $dn so it matches the distinguished name of your admin user.

On line 14, change $ldapPassword so it matches the password of your admin user.

On line 17, change $groupOU so it matches the organizational unit of your groups.

On line 20, change $peopleOU so it matches the organizational unit of your users.

The searches in LDAP assume the following field names for users: uid, givenName, sn, gidNumber, cn and userpassword. Passwords are encoded in LDAP using MD5. If you are using a different encoding, site/resources/api/SignInWithCredentials.php should be updated on line 31 to reflect your encoding.

Since LDAP implementations can vary, if you would like different user fields to be displayed in the user grid you should modify resources/admin/getUsers.php, app/model/User.js and app/view/Main.js to appropriately reflect your field names.

The searches in LDAP assume the following field names for groups: gidNumber and cn.

3. Modify site/resources/admin/fulfillment_proxy.php so it is pointing at your account

On line 4, change $feed so the accountId matches your account id. For information on finding your accountId, see the "Connecting to fulfillment" section in the Adobe article Building a custom storefront. Once you have your accountId, you will modify the value after http://edge.adobe-dcfs.com/ddp/issueServer/issues?accountId=. To verify that you have published folios, you can navigate to the URL to view your folios. This XML file will only display published folios.

4. Deploy the files to your webserver

Upload the contents of the site directory to your webserver. For simplicity this article does not go into detail about deploying a production ready Sencha application. For more details, check out the Sencha SDK Tools.

5. Entitle users and groups to folios

In a browser, go to the location in your previous step and open index.html. Open each item in the left nav and verify the grids are populated. Double-click on rows in the users and groups grids and assign the appropriate folios to each. If you'd like to allow a user to login with a token, double-click a user and set the value for a token. These values should be unique.

6. Create a viewer

For information on creating a viewer app see the Viewer Builder tutorial video or read the documentation. The viewer you create should be an entitlement viewer. On the entitlement details screen, the two service URLs should be the absolute path to where you deployed the files in step 5 appended with "resources/api". The value for Banner Page URL should be the absolute path to where you deployed the files in step 5 appended with "banner/index.html".

7. Test entitlement in the viewer

After you have installed the viewer on your iPad, open the viewer and login using the entitlement banner at the top. After logging in successfully you should see the library automatically update and populate with the folios to which the user is entitled.

This article has shown you how to modify the reference implementation to integrate restricted distribution with your LDAP. For more articles on the Digital Publishing Suite please check out the Digital Publishing Suite Developer Center.