Add LDAP authentication with role-based OPC UA permissions

Replace static user list with GLAuth LDAP authentication. Group
membership (ReadOnly, ReadWrite, AlarmAck) maps to granular OPC UA
permissions for write and alarm-ack operations. Anonymous can still
browse and read but not write.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/Configuration.md

@@ -116,11 +116,62 @@ Controls user authentication and write authorization for the OPC UA server. Defi
 | `AnonymousCanWrite` | `bool` | `true` | Permits anonymous users to write when `true` |
 | `Users` | `List<UserCredential>` | `[]` | List of username/password credentials for `UserName` token authentication |
 
-Each entry in the `Users` list has two properties: `Username` (string) and `Password` (string).
+Each entry in the `Users` list has two properties: `Username` (string) and `Password` (string). The `Users` list is ignored when `Ldap.Enabled` is `true`.
 
-The defaults preserve the existing behavior: anonymous clients can connect, read, and write with no credentials required. To restrict writes to authenticated users, set `AnonymousCanWrite` to `false` and add entries to the `Users` list.
+#### LDAP Authentication
 
-Example configuration:
+When `Ldap.Enabled` is `true`, credentials are validated against the configured LDAP server and group membership determines OPC UA permissions. The `Users` list is ignored.
+
+| Property | Type | Default | Description |
+|----------|------|---------|-------------|
+| `Ldap.Enabled` | `bool` | `false` | Enables LDAP authentication |
+| `Ldap.Host` | `string` | `localhost` | LDAP server hostname |
+| `Ldap.Port` | `int` | `3893` | LDAP server port |
+| `Ldap.BaseDN` | `string` | `dc=lmxopcua,dc=local` | Base DN for LDAP operations |
+| `Ldap.BindDnTemplate` | `string` | `cn={username},dc=lmxopcua,dc=local` | Bind DN template (`{username}` is replaced) |
+| `Ldap.ServiceAccountDn` | `string` | `""` | Service account DN for group lookups |
+| `Ldap.ServiceAccountPassword` | `string` | `""` | Service account password |
+| `Ldap.TimeoutSeconds` | `int` | `5` | Connection timeout |
+| `Ldap.ReadOnlyGroup` | `string` | `ReadOnly` | LDAP group granting read-only access |
+| `Ldap.ReadWriteGroup` | `string` | `ReadWrite` | LDAP group granting read-write access |
+| `Ldap.AlarmAckGroup` | `string` | `AlarmAck` | LDAP group granting alarm acknowledgment |
+
+#### Permission Model
+
+When LDAP is enabled, authenticated users receive permissions based on their LDAP group membership:
+
+| LDAP Group | Permission |
+|---|---|
+| ReadOnly | Browse and read nodes |
+| ReadWrite | Browse, read, and write tag values |
+| AlarmAck | Acknowledge alarms |
+
+Users can belong to multiple groups. The `admin` user in the default GLAuth configuration belongs to all three groups.
+
+Example with LDAP authentication:
+
+```json
+"Authentication": {
+  "AllowAnonymous": true,
+  "AnonymousCanWrite": false,
+  "Users": [],
+  "Ldap": {
+    "Enabled": true,
+    "Host": "localhost",
+    "Port": 3893,
+    "BaseDN": "dc=lmxopcua,dc=local",
+    "BindDnTemplate": "cn={username},dc=lmxopcua,dc=local",
+    "ServiceAccountDn": "cn=serviceaccount,dc=lmxopcua,dc=local",
+    "ServiceAccountPassword": "serviceaccount123",
+    "TimeoutSeconds": 5,
+    "ReadOnlyGroup": "ReadOnly",
+    "ReadWriteGroup": "ReadWrite",
+    "AlarmAckGroup": "AlarmAck"
+  }
+}
+```
+
+Example with static user list (no LDAP):
 
 ```json
 "Authentication": {