fix(security): resolve Security-004..007 — configurable user-id attribute, DN escaping, JWT issuer/audience validation, idle-timeout preservation

src/ScadaLink.Security/SecurityOptions.cs

@@ -37,10 +37,19 @@ public class SecurityOptions
     /// <summary>
     /// Service account DN for LDAP user searches (e.g., "cn=admin,dc=example,dc=com").
     /// Required for search-then-bind authentication. If empty, direct bind with
-    /// cn={username},{LdapSearchBase} is attempted instead.
+    /// {LdapUserIdAttribute}={username},{LdapSearchBase} is attempted instead.
     /// </summary>
     public string LdapServiceAccountDn { get; set; } = string.Empty;
 
+    /// <summary>
+    /// LDAP attribute that identifies a user. Used both for the search-then-bind
+    /// filter (<c>({LdapUserIdAttribute}={username})</c>) and for constructing the
+    /// fallback bind DN when no service account is configured, so the two
+    /// authentication modes are interchangeable. Common values: <c>uid</c> (OpenLDAP),
+    /// <c>sAMAccountName</c> (Active Directory).
+    /// </summary>
+    public string LdapUserIdAttribute { get; set; } = "uid";
+
     /// <summary>
     /// Service account password for LDAP user searches.
     /// </summary>