I am creating a nextcloud and groupware server using the following components
- Master / Master LDAP for user/auth
- Postfix mail server
- HA Dovecot setup.
- z-push server for activesync connectivity
- Nextcloud server
I am setting this all up using ansible, so when it is all done i will upload my roles and playbooks to GitHub so others can enjoy the work
This is all working like a charm in a small test environment but for security reasons I’m thinking of enabling OTP. This however gives me the following problem:
For syncing the nextcloud contacts and agenda you need to create an app password (of course). The mail however ( in dovecot) needs the normal LDAP password. This breaks z-push, and is confusing for users.
Now I know Dovecot is very flexible when in comes to authentication, you can use multiple password backends. So i can make Dovecot also use a password file or an SQL query for password lookup.
Does someone can tell me if it is possible to use a nextcloud generated app-password for this? As far as i can see the app password itself is not stored anywhere in the database ( also, not in an usable encrypted way). Or maybe i am not looking good enough?
Or maybe someone has a whole better idea.