cbc78465e0
Replace Windows Integrated Auth with direct LDAP bind (username/password login form). Add JWT-based sessions with HMAC-SHA256 shared key for load balancer compatibility. 15-minute token refresh re-queries LDAP for current group memberships. 30-minute configurable idle timeout. LDAP failure: new logins fail, active sessions continue with current roles until LDAP recovers.