Add LDAP authentication with role-based OPC UA permissions

Replace static user list with GLAuth LDAP authentication. Group
membership (ReadOnly, ReadWrite, AlarmAck) maps to granular OPC UA
permissions for write and alarm-ack operations. Anonymous can still
browse and read but not write.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

service_info.md

@@ -89,6 +89,34 @@ opcuacli-dotnet.exe redundancy -u opc.tcp://localhost:4841/LmxOpcUa
 
 Both instances report the same `ServerUriArray` and expose the same Galaxy namespace (`urn:ZB:LmxOpcUa`).
 
+## LDAP Authentication Update
+
+Updated: `2026-03-28`
+
+Both instances updated to use LDAP authentication via GLAuth.
+
+Configuration changes (both instances):
+- `Authentication.AllowAnonymous`: `true` (anonymous can browse/read)
+- `Authentication.AnonymousCanWrite`: `false` (anonymous writes blocked)
+- `Authentication.Ldap.Enabled`: `true`
+- `Authentication.Ldap.Host`: `localhost`
+- `Authentication.Ldap.Port`: `3893`
+- `Authentication.Ldap.BaseDN`: `dc=lmxopcua,dc=local`
+
+LDAP server: GLAuth v2.4.0 at `C:\publish\glauth\` (Windows service: `GLAuth`)
+
+Permission verification (instance1, port 4840):
+```
+anonymous read    → allowed
+anonymous write   → denied  (BadUserAccessDenied)
+readonly  read    → allowed
+readonly  write   → denied  (BadUserAccessDenied)
+readwrite write   → allowed
+admin     write   → allowed
+alarmack  write   → denied  (BadUserAccessDenied)
+bad password      → denied  (connection rejected)
+```
+
 ## Notes
 
 The service deployment and restart succeeded. The live CLI checks confirm the endpoint is reachable and that the array node identifier has changed to the bracketless form. The array value on the live service still prints as blank even though the status is good, so if this environment should have populated `MoveInPartNumbers`, the runtime data path still needs follow-up investigation.