feat(auth): cut OtOpcUa over to ZB.MOM.WW.Auth.Ldap; preserve DevStubMode; route roles via IGroupRoleMapper (Task 1.2/1.4)

src/Server/ZB.MOM.WW.OtOpcUa.Host/Configuration/LdapOptionsValidator.cs

@@ -10,7 +10,10 @@ namespace ZB.MOM.WW.OtOpcUa.Host.Configuration;
 ///     TCP port; when disabled — or when <c>DevStubMode</c> bypasses the real bind — all checks are
 ///     skipped. <c>ServiceAccountDn</c>/<c>Password</c> are
 ///     intentionally not required — an empty pair selects the direct-bind path (see
-///     <see cref="LdapOptions.ServiceAccountDn"/>). Failure messages use <c>"Ldap:"</c> as a
+///     <see cref="LdapOptions.ServiceAccountDn"/>). The plaintext-transport-without-AllowInsecure
+///     guard is enforced at the auth boundary (<see cref="OtOpcUaLdapAuthService"/>) rather than here,
+///     to preserve the bespoke service's behaviour of booting and failing closed at login (not at
+///     startup) when a config selects insecure transport. Failure messages use <c>"Ldap:"</c> as a
 ///     human-readable field prefix — not the literal bound section path, which is
 ///     <c>Security:Ldap</c> (see <see cref="LdapOptions.SectionName"/>).
 /// </summary>