fix: make Admin LDAP sign-in work against GLAuth

Three bugs blocked sign-in entirely:

- Login.razor is static-SSR but its form model lacked
  [SupplyParameterFromForm], so the posted username/password never
  bound — SignInAsync saw empty fields and bailed before LDAP was
  contacted. Annotate the model; seed it in OnInitialized since
  BL0008 forbids an initializer on a [SupplyParameterFromForm]
  property.
- appsettings.json ServiceAccountDn used ou=svcaccts, which GLAuth
  reads as a (non-existent) group — the service-account bind failed
  with "Group not found". Use cn=serviceaccount,dc=lmxopcua,dc=local.
- LdapAuthService resolved the user DN by searching (uid=...), but
  GLAuth keys users by cn. Add an LdapOptions.UserNameAttribute knob
  (default cn for GLAuth; set sAMAccountName for Active Directory)
  and use it for the search filter.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/Server/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Login.razor

@@ -47,10 +47,17 @@
         public string Password { get; set; } = string.Empty;
     }
 
-    private Input _input = new();
+    // Static-SSR form post: the model must be [SupplyParameterFromForm] or the
+    // submitted username/password never bind back onto _input. The property
+    // cannot carry an initializer (BL0008) — seed it in OnInitialized instead.
+    [SupplyParameterFromForm]
+    private Input _input { get; set; } = default!;
+
     private string? _error;
     private bool _busy;
 
+    protected override void OnInitialized() => _input ??= new();
+
     private async Task SignInAsync()
     {
         _error = null;