Remove static Users auth, use shared QualityMapper for historian, simplify LDAP permission checks

- Remove ConfigUserAuthenticationProvider and Users property — LDAP is the only auth mechanism
- Fix historian quality mapping to use existing QualityMapper (OPC DA quality bytes, not custom mapping)
- Add AppRoles constants, unify HasWritePermission/HasAlarmAckPermission into shared HasRole helper
- Hoist write permission check out of per-item loop, eliminate redundant _ldapRolesEnabled field
- Update docs (Configuration.md, Security.md, OpcUaServer.md, HistoricalDataAccess.md)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/security.md

@@ -147,19 +147,23 @@ Remove `None` from the `Profiles` list to prevent unencrypted connections:
 }
 ```
 
-### 3. Configure named users
+### 3. Configure LDAP authentication
 
-Disable anonymous access and define named users in the `Authentication` section. Use `AnonymousCanWrite` to control whether anonymous clients (if still allowed) can write:
+Enable LDAP authentication to validate credentials against the GLAuth server. LDAP group membership controls what each user can do (read, write, alarm acknowledgment). See [Configuration Guide](Configuration.md) for the full LDAP property reference.
 
 ```json
 {
   "Authentication": {
     "AllowAnonymous": false,
     "AnonymousCanWrite": false,
-    "Users": [
-      { "Username": "operator", "Password": "secure-password" },
-      { "Username": "viewer", "Password": "read-only-password" }
-    ]
+    "Ldap": {
+      "Enabled": true,
+      "Host": "localhost",
+      "Port": 3893,
+      "BaseDN": "dc=lmxopcua,dc=local",
+      "ServiceAccountDn": "cn=serviceaccount,dc=lmxopcua,dc=local",
+      "ServiceAccountPassword": "serviceaccount123"
+    }
   }
 }
 ```