Add LDAP authentication with role-based OPC UA permissions

Replace static user list with GLAuth LDAP authentication. Group
membership (ReadOnly, ReadWrite, AlarmAck) maps to granular OPC UA
permissions for write and alarm-ack operations. Anonymous can still
browse and read but not write.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.LmxOpcUa.Host/Configuration/ConfigurationValidator.cs

@@ -104,6 +104,32 @@ namespace ZB.MOM.WW.LmxOpcUa.Host.Configuration
                 Log.Warning("Only the 'None' security profile is configured — transport security is disabled");
             }
 
+            // Authentication
+            Log.Information("Authentication.AllowAnonymous={AllowAnonymous}, AnonymousCanWrite={AnonymousCanWrite}",
+                config.Authentication.AllowAnonymous, config.Authentication.AnonymousCanWrite);
+
+            if (config.Authentication.Ldap.Enabled)
+            {
+                Log.Information("Authentication.Ldap.Enabled=true, Host={Host}, Port={Port}, BaseDN={BaseDN}",
+                    config.Authentication.Ldap.Host, config.Authentication.Ldap.Port, config.Authentication.Ldap.BaseDN);
+                Log.Information("Authentication.Ldap groups: ReadOnly={ReadOnly}, ReadWrite={ReadWrite}, AlarmAck={AlarmAck}",
+                    config.Authentication.Ldap.ReadOnlyGroup, config.Authentication.Ldap.ReadWriteGroup, config.Authentication.Ldap.AlarmAckGroup);
+
+                if (string.IsNullOrWhiteSpace(config.Authentication.Ldap.ServiceAccountDn))
+                {
+                    Log.Warning("Authentication.Ldap.ServiceAccountDn is empty — group lookups will fail");
+                }
+
+                if (config.Authentication.Users.Count > 0)
+                {
+                    Log.Warning("Authentication.Users list is ignored when Ldap is enabled");
+                }
+            }
+            else if (config.Authentication.Users.Count > 0)
+            {
+                Log.Information("Authentication.Users configured: {Count} user(s)", config.Authentication.Users.Count);
+            }
+
             // Redundancy
             if (config.OpcUa.ApplicationUri != null)
                 Log.Information("OpcUa.ApplicationUri={ApplicationUri}", config.OpcUa.ApplicationUri);