Add LDAP authentication with role-based OPC UA permissions

Replace static user list with GLAuth LDAP authentication. Group membership (ReadOnly, ReadWrite, AlarmAck) maps to granular OPC UA permissions for write and alarm-ack operations. Anonymous can still browse and read but not write. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 18:57:30 -04:00
parent 9d3599fbb6
commit 74107ea95e
16 changed files with 726 additions and 17 deletions
--- a/src/ZB.MOM.WW.LmxOpcUa.Host/appsettings.json
+++ b/src/ZB.MOM.WW.LmxOpcUa.Host/appsettings.json
@@ -35,8 +35,21 @@
  },
  "Authentication": {
    "AllowAnonymous": true,
-    "AnonymousCanWrite": true,
-    "Users": []
+    "AnonymousCanWrite": false,
+    "Users": [],
+    "Ldap": {
+      "Enabled": false,
+      "Host": "localhost",
+      "Port": 3893,
+      "BaseDN": "dc=lmxopcua,dc=local",
+      "BindDnTemplate": "cn={username},dc=lmxopcua,dc=local",
+      "ServiceAccountDn": "cn=serviceaccount,dc=lmxopcua,dc=local",
+      "ServiceAccountPassword": "serviceaccount123",
+      "TimeoutSeconds": 5,
+      "ReadOnlyGroup": "ReadOnly",
+      "ReadWriteGroup": "ReadWrite",
+      "AlarmAckGroup": "AlarmAck"
+    }
  },
  "Security": {
    "Profiles": ["None"],