test(integration): F21 — docker-compose + env-driven SQL/LDAP harness mode

Adds a real-infra mode for the integration test harness alongside the default
in-memory mode. Drops the previously-untested code paths (EF SqlServer
behaviors, real LDAP bind) under env-var control without breaking the
zero-infra default that CI runs.

- docker-compose.yml — minimal SQL 2022 (14331) + OpenLDAP (3894) stack
  (ports chosen to coexist with docker-dev/ on 14330/3893)
- HarnessMode record reads OTOPCUA_HARNESS_USE_SQL=1 / USE_LDAP=1 from env
- SQL mode: per-harness unique DB OtOpcUa_Harness_{guid}, EnsureCreated
  at startup, EnsureDeleted on dispose (best-effort)
- LDAP mode: drops StubLdapAuthService and configures real LdapAuthService
  against the compose'd OpenLDAP via Authentication:Ldap:* config keys
- Microsoft.EntityFrameworkCore.SqlServer added to the test project
- README documents both modes + the macOS no-Docker caveat

Default in-memory mode unchanged — all 9 existing tests still pass.

tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/docker-compose.yml

@@ -0,0 +1,57 @@
+# Real-mode dependencies for ZB.MOM.WW.OtOpcUa.Host.IntegrationTests.
+#
+# The default harness (TwoNodeClusterHarness) uses EF InMemoryDatabase + StubLdapAuthService
+# so the suite runs anywhere with zero infrastructure. This compose stack exists for two
+# situations the in-memory mode can't cover:
+#
+#   1. EF behaviors that diverge between provider implementations — index uniqueness,
+#      RowVersion concurrency, JSON column round-trips, EF migration application.
+#   2. Real LDAP binds against an OpenLDAP server with the dev users from
+#      C:\publish\glauth\auth.md.
+#
+# Activate by setting these env vars before running the suite:
+#
+#   export OTOPCUA_HARNESS_USE_SQL=1
+#   export OTOPCUA_HARNESS_USE_LDAP=1
+#   docker compose -f tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/docker-compose.yml up -d
+#   dotnet test tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests --filter "Category!=E2E"
+#   docker compose -f tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/docker-compose.yml down -v
+#
+# Ports differ from docker-dev/ on purpose so both stacks can run side-by-side:
+#   - SQL:  14331 (docker-dev uses 14330)
+#   - LDAP: 3894  (docker-dev uses 3893)
+#
+# DESKTOP-6JL3KKO note: Docker Desktop is not installed here. Run this stack on the shared
+# Linux Docker host (10.100.0.35) per docs/v2/dev-environment.md, or in CI on Linux.
+
+name: otopcua-harness
+
+services:
+
+  sql:
+    image: mcr.microsoft.com/mssql/server:2022-latest
+    environment:
+      ACCEPT_EULA: "Y"
+      SA_PASSWORD: "OtOpcUa!Harness123"
+      MSSQL_PID: Developer
+    ports:
+      - "14331:1433"
+    healthcheck:
+      test: ["CMD-SHELL", "/opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -P 'OtOpcUa!Harness123' -No -Q 'SELECT 1' || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 20
+
+  ldap:
+    # OpenLDAP image — same one docker-dev/ uses, just on a different port. Dev users
+    # alice/bob match the GLAuth fixtures so AuthEndpoints contract tests share creds.
+    image: bitnami/openldap:2.6
+    environment:
+      LDAP_ROOT: "dc=lmxopcua,dc=local"
+      LDAP_ADMIN_USERNAME: "admin"
+      LDAP_ADMIN_PASSWORD: "ldapadmin"
+      LDAP_USERS: "alice,bob"
+      LDAP_PASSWORDS: "alice123,bob123"
+      LDAP_USER_DC: "ou=FleetAdmin"
+    ports:
+      - "3894:1389"