Phase 0 — mechanical rename ZB.MOM.WW.LmxOpcUa.* → ZB.MOM.WW.OtOpcUa.*

Renames all 11 projects (5 src + 6 tests), the .slnx solution file, all source-file namespaces, all axaml namespace references, and all v1 documentation references in CLAUDE.md and docs/*.md (excluding docs/v2/ which is already in OtOpcUa form). Also updates the TopShelf service registration name from "LmxOpcUa" to "OtOpcUa" per Phase 0 Task 0.6.

Preserves runtime identifiers per Phase 0 Out-of-Scope rules to avoid breaking v1/v2 client trust during coexistence: OPC UA `ApplicationUri` defaults (`urn:{GalaxyName}:LmxOpcUa`), server `EndpointPath` (`/LmxOpcUa`), `ServerName` default (feeds cert subject CN), `MxAccessConfiguration.ClientName` default (defensive — stays "LmxOpcUa" for MxAccess audit-trail consistency), client OPC UA identifiers (`ApplicationName = "LmxOpcUaClient"`, `ApplicationUri = "urn:localhost:LmxOpcUaClient"`, cert directory `%LocalAppData%\LmxOpcUaClient\pki\`), and the `LmxOpcUaServer` class name (class rename out of Phase 0 scope per Task 0.5 sed pattern; happens in Phase 1 alongside `LmxNodeManager → GenericDriverNodeManager` Core extraction). 23 LmxOpcUa references retained, all enumerated and justified in `docs/v2/implementation/exit-gate-phase-0.md`.

Build clean: 0 errors, 30 warnings (lower than baseline 167). Tests at strict improvement over baseline: 821 passing / 1 failing vs baseline 820 / 2 (one flaky pre-existing failure passed this run; the other still fails — both pre-existing and unrelated to the rename). `Client.UI.Tests`, `Historian.Aveva.Tests`, `Client.Shared.Tests`, `IntegrationTests` all match baseline exactly. Exit gate compliance results recorded in `docs/v2/implementation/exit-gate-phase-0.md` with all 7 checks PASS or DEFERRED-to-PR-review (#7 service install verification needs Windows service permissions on the reviewer's box).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.OtOpcUa.Host/Domain/LdapAuthenticationProvider.cs

@@ -0,0 +1,148 @@
+using System;
+using System.Collections.Generic;
+using System.DirectoryServices.Protocols;
+using System.Net;
+using Serilog;
+using ZB.MOM.WW.OtOpcUa.Host.Configuration;
+
+namespace ZB.MOM.WW.OtOpcUa.Host.Domain
+{
+    /// <summary>
+    ///     Validates credentials via LDAP bind and resolves group membership to application roles.
+    /// </summary>
+    public class LdapAuthenticationProvider : IUserAuthenticationProvider, IRoleProvider
+    {
+        private static readonly ILogger Log = Serilog.Log.ForContext<LdapAuthenticationProvider>();
+
+        private readonly LdapConfiguration _config;
+        private readonly Dictionary<string, string> _groupToRole;
+
+        public LdapAuthenticationProvider(LdapConfiguration config)
+        {
+            _config = config;
+            _groupToRole = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+            {
+                { config.ReadOnlyGroup, AppRoles.ReadOnly },
+                { config.WriteOperateGroup, AppRoles.WriteOperate },
+                { config.WriteTuneGroup, AppRoles.WriteTune },
+                { config.WriteConfigureGroup, AppRoles.WriteConfigure },
+                { config.AlarmAckGroup, AppRoles.AlarmAck }
+            };
+        }
+
+        public IReadOnlyList<string> GetUserRoles(string username)
+        {
+            try
+            {
+                using (var connection = CreateConnection())
+                {
+                    // Bind with service account to search
+                    connection.Bind(new NetworkCredential(_config.ServiceAccountDn, _config.ServiceAccountPassword));
+
+                    var request = new SearchRequest(
+                        _config.BaseDN,
+                        $"(cn={EscapeLdapFilter(username)})",
+                        SearchScope.Subtree,
+                        "memberOf");
+
+                    var response = (SearchResponse)connection.SendRequest(request);
+
+                    if (response.Entries.Count == 0)
+                    {
+                        Log.Warning("LDAP search returned no entries for {Username}", username);
+                        return new[] { AppRoles.ReadOnly }; // safe fallback
+                    }
+
+                    var entry = response.Entries[0];
+                    var memberOf = entry.Attributes["memberOf"];
+                    if (memberOf == null || memberOf.Count == 0)
+                    {
+                        Log.Debug("No memberOf attributes for {Username}, defaulting to ReadOnly", username);
+                        return new[] { AppRoles.ReadOnly };
+                    }
+
+                    var roles = new List<string>();
+                    for (var i = 0; i < memberOf.Count; i++)
+                    {
+                        var dn = memberOf[i]?.ToString() ?? "";
+                        // Extract the OU/CN from the memberOf DN (e.g., "ou=ReadWrite,ou=groups,dc=...")
+                        var groupName = ExtractGroupName(dn);
+                        if (groupName != null && _groupToRole.TryGetValue(groupName, out var role)) roles.Add(role);
+                    }
+
+                    if (roles.Count == 0)
+                    {
+                        Log.Debug("No matching role groups for {Username}, defaulting to ReadOnly", username);
+                        roles.Add(AppRoles.ReadOnly);
+                    }
+
+                    Log.Debug("LDAP roles for {Username}: [{Roles}]", username, string.Join(", ", roles));
+                    return roles;
+                }
+            }
+            catch (Exception ex)
+            {
+                Log.Warning(ex, "Failed to resolve LDAP roles for {Username}, defaulting to ReadOnly", username);
+                return new[] { AppRoles.ReadOnly };
+            }
+        }
+
+        public bool ValidateCredentials(string username, string password)
+        {
+            try
+            {
+                var bindDn = _config.BindDnTemplate.Replace("{username}", username);
+                using (var connection = CreateConnection())
+                {
+                    connection.Bind(new NetworkCredential(bindDn, password));
+                }
+
+                Log.Debug("LDAP bind succeeded for {Username}", username);
+                return true;
+            }
+            catch (LdapException ex)
+            {
+                Log.Debug("LDAP bind failed for {Username}: {Error}", username, ex.Message);
+                return false;
+            }
+            catch (Exception ex)
+            {
+                Log.Warning(ex, "LDAP error during credential validation for {Username}", username);
+                return false;
+            }
+        }
+
+        private LdapConnection CreateConnection()
+        {
+            var identifier = new LdapDirectoryIdentifier(_config.Host, _config.Port);
+            var connection = new LdapConnection(identifier)
+            {
+                AuthType = AuthType.Basic,
+                Timeout = TimeSpan.FromSeconds(_config.TimeoutSeconds)
+            };
+            connection.SessionOptions.ProtocolVersion = 3;
+            return connection;
+        }
+
+        private static string? ExtractGroupName(string dn)
+        {
+            // Parse "ou=ReadWrite,ou=groups,dc=..." or "cn=ReadWrite,..."
+            if (string.IsNullOrEmpty(dn)) return null;
+            var parts = dn.Split(',');
+            if (parts.Length == 0) return null;
+            var first = parts[0].Trim();
+            var eqIdx = first.IndexOf('=');
+            return eqIdx >= 0 ? first.Substring(eqIdx + 1) : null;
+        }
+
+        private static string EscapeLdapFilter(string input)
+        {
+            return input
+                .Replace("\\", "\\5c")
+                .Replace("*", "\\2a")
+                .Replace("(", "\\28")
+                .Replace(")", "\\29")
+                .Replace("\0", "\\00");
+        }
+    }
+}