feat: add JoeAppEngine OPC UA nodes, fix DCL auto-reconnect and quality push

- Add JoeAppEngine folder to OPC UA nodes.json (BTCS, AlarmCntsBySeverity, Scheduler/ScanTime)
- Fix DataConnectionActor: capture Self in PreStart for use from non-actor threads,
  preventing Self.Tell failure in Disconnected event handler
- Implement InstanceActor.HandleConnectionQualityChanged to mark attributes Bad on disconnect
- Fix LmxFakeProxy TagMapper to serialize arrays as JSON instead of "System.Int32[]"
- Allow DataType and DataSourceReference updates in TemplateService.UpdateAttributeAsync
- Update test_infra_opcua.md with JoeAppEngine documentation

src/ScadaLink.CLI/README.md

@@ -41,8 +41,8 @@ These options are accepted by the root command and inherited by all subcommands.
 | Option | Description |
 |--------|-------------|
 | `--contact-points <value>` | Comma-separated Akka cluster contact point URIs |
-| `--username <value>` | LDAP username (reserved for future auth integration) |
-| `--password <value>` | LDAP password (reserved for future auth integration) |
+| `--username <value>` | LDAP username for authentication |
+| `--password <value>` | LDAP password for authentication |
 | `--format <json\|table>` | Output format (default: `json`) |
 
 ## Configuration File
@@ -55,12 +55,19 @@ These options are accepted by the root command and inherited by all subcommands.
   "ldap": {
     "server": "ldap.company.com",
     "port": 636,
-    "useTls": true
+    "useTls": true,
+    "searchBase": "dc=example,dc=com",
+    "serviceAccountDn": "cn=admin,dc=example,dc=com",
+    "serviceAccountPassword": "secret"
   },
   "defaultFormat": "json"
 }
 ```
 
+The `searchBase` and `serviceAccountDn`/`serviceAccountPassword` fields are required for LDAP servers that need search-then-bind authentication (including the test GLAuth server). Without them, direct bind with `cn={username},{searchBase}` is attempted, which may fail if the user's DN doesn't follow that pattern.
+
+For the Docker test environment, see `docker/README.md` for a ready-to-use config.
+
 ## Environment Variables
 
 | Variable | Description |
@@ -435,7 +442,7 @@ scadalink --contact-points <uri> instance set-bindings --id <int> --bindings <js
 | Option | Required | Description |
 |--------|----------|-------------|
 | `--id` | yes | Instance ID |
-| `--bindings` | yes | JSON string mapping attribute names to data connection IDs (e.g. `{"attr1": 1, "attr2": 2}`) |
+| `--bindings` | yes | JSON array of `[attributeName, dataConnectionId]` pairs (e.g. `[["Speed",7],["Temperature",7]]`) |
 
 ---
 
@@ -1270,7 +1277,7 @@ The CLI connects to the Central cluster using Akka.NET's `ClusterClient`. It doe
 
 The connection is established per-command invocation and torn down cleanly via `CoordinatedShutdown` when the command completes.
 
-Role enforcement is applied by the ManagementActor on the server side. The current CLI placeholder user carries `Admin`, `Design`, and `Deployment` roles; production use will integrate LDAP authentication via `--username` / `--password`.
+Role enforcement is applied by the ManagementActor on the server side. The CLI authenticates against LDAP using `--username` / `--password`, resolves LDAP group memberships, then maps groups to ScadaLink roles (Admin, Design, Deployment) via role mappings configured in the security settings. Operations require the appropriate role — for example, creating templates requires `Design`, deploying requires `Deployment`. In the test environment, use the `multi-role` user (password: `password`) which has all three roles.
 
 ## Issues & Missing Features