fix(glauth): rename OPC/Gw testers to avoid username/group case-collision

glauth exposes each group as cn=<Group> under ou=users, so a case-insensitive
(cn=x) search matched both the user and the group (2 entries -> the shared
ZB.MOM.WW.Auth.Ldap 'exactly one entry' rule failed the bind). Renamed the 4
colliding testers (readonly/writetune/alarmack/gwreader) + the 2 siblings for
consistency: opc-readonly/opc-writeop/opc-writetune/opc-writeconfig/opc-alarmack
and gw-viewer. Verified gw-viewer logs into the MxGateway dashboard as Viewer.
multi-role/admin/designer/etc. were never affected (no case-collision).

infra/glauth/README.md

@@ -26,9 +26,14 @@ each app maps only its own family and ignores the rest.
   uses for search-then-bind. Has a `search *` capability.
 - **`multi-role`** — member of **every** group → all roles in all three apps (canonical cross-app login).
 - **`admin`** — `SCADA-Admins` + `GwAdmin` + `OtOpcUa-Admins` → Administrator everywhere.
-- Per-role testers: `designer` / `deployer` / `site-deployer` (ScadaBridge); `gwreader`
-  (MxGateway Viewer); `otdesigner` / `otviewer` (OtOpcUa); `readonly` / `writeop` / `writetune`
-  / `writeconfig` / `alarmack` (OPC perms).
+- Per-role testers: `designer` / `deployer` / `site-deployer` (ScadaBridge); `gw-viewer`
+  (MxGateway Viewer); `otdesigner` / `otviewer` (OtOpcUa); `opc-readonly` / `opc-writeop` /
+  `opc-writetune` / `opc-writeconfig` / `opc-alarmack` (OPC perms).
+
+> **Naming rule:** a tester username must **not** case-collide with a group name. GLAuth exposes
+> each group as `cn=<Group>` under `ou=users`, so a case-insensitive `(cn=x)` search would match
+> both the user and the group (two entries → the shared lib's "exactly one entry" rule fails the
+> bind). That's why the OPC/Gw testers are `opc-*` / `gw-viewer`, not `readonly` / `gwreader`.
 
 ## Deploy on `10.100.0.35`
 

infra/glauth/config.toml

@@ -118,36 +118,40 @@
   primarygroup = 5504
   passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
 
-# MxGateway dashboard Viewer tester
+# MxGateway dashboard Viewer tester.
+# NOTE: tester usernames must NOT case-collide with a group name — glauth exposes
+# each group as cn=<Group> under ou=users, so a case-insensitive (cn=X) search
+# would match both the user and the group (ambiguous → auth fails). Hence gw-viewer
+# (not "gwreader" which collides with the GwReader group), opc-* below, etc.
 [[users]]
-  name = "gwreader"
+  name = "gw-viewer"
   uidnumber = 5106
   primarygroup = 5611
   passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
 
 # OPC-UA permission testers
 [[users]]
-  name = "readonly"
+  name = "opc-readonly"
   uidnumber = 5101
   primarygroup = 5601
   passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
 [[users]]
-  name = "writeop"
+  name = "opc-writeop"
   uidnumber = 5102
   primarygroup = 5602
   passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
 [[users]]
-  name = "writetune"
+  name = "opc-writetune"
   uidnumber = 5103
   primarygroup = 5603
   passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
 [[users]]
-  name = "writeconfig"
+  name = "opc-writeconfig"
   uidnumber = 5104
   primarygroup = 5604
   passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
 [[users]]
-  name = "alarmack"
+  name = "opc-alarmack"
   uidnumber = 5105
   primarygroup = 5605
   passsha256 = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"