LSASS Directory Layout ---------------------- INTRODUCTION: ------------ This document describes the desired directory layout (and componentization) inside lsass. TERMINOLOGY: ----------- The following terminology is used in the LAYOUT section below. utility library - in effect, a static library that is pulled into some other shared object or binary. Note that a utility library should never be included in two shared objects or binaries that can be loaded in the same address space. shared object - shared library binary - an executable LAYOUT: ------ - client (1 shared object) [1] + api (1 utility library) + ad (1 utility library) + local (1 utility library) + ntlm (1 utility library) [1] - common (1 utility library used by client & server) + ipc - api - ad - local - ntlm + utils + lsaunistr [3] + lwunistr [3] - docs - etc - include (shared headers) - lsa (public client header -- lsa.h) - interop (several shared objects, only consumed externally) + auth [4] + nsswitch [4] + wbclient + lwicompat + lwmapsecurity (dlopen plugin for lwmapsecurity) + access (dlopen by eventlog) [5] + gssntlm (gssapi layer for NTLM) - join [7] - logging_r [6] - lsaunistr [6] - m4 (for autotools) - scripts [6] - server (1 binary and 3 shared objects + store + rpc + ntlm shared objects) + include (shared server-only headers) + logging_r (1 utility library) + api (1 shared object) + providers (2 shared objects) - local (1 shared object) - ad (1 shared object) + lsassd (1 binary) + ntlm (1 shared object – new code, currently unused) + rpc (currently various shared objects) [2] - idl - include - samr - lsa - dssetup + store (2 shared objects used by local provider and rpc) - include - dsapi (1 shared object) - samdb (1 shared object) - tests? - tools IMPORTANT: --------- In general, server-side code should not call client-side APIs. One potential exception might be for server-side code that cannot be invoked via IPC (e.g., RPC servers). NOTES: ----- [1] client/ntlm currently produces a separate shared object because it needs to link to pthreads. We need to revisit this. [2] rpc will need to become a single shared object. [3] lsaunistr and lwunistr will eventually be modified, merged, and moved into separate advapi component [4] auth contains PAM and authentication code used by the LAM module that currently resides in nsswitch/aix. It may be desirable refactor a little so that PAM is at interop/pam and perhaps LAM is at interop/lam. [5] access should eventually go away after switching eventlog to use a model based on security descriptors and access tokens (using lwmapsecurity). [6] these should go away [7] join is currently 1 shared object used by AD provider and domain join that contains 3 pieces: (1) LDAP wrapper, (2) KRB5 wrapper, and (3) domain join helper code. It will later be split into advapi and domainjoin components. BUILDS FOR EMBEDDED SYSTEMS: --------------------------- Note that a minimal build (for embedded systems) will collapse some of the shared objects to create a monolithic client API shared object and server daemon.