Using App passwords for external services ( like dovecot)

Hi,

I am creating a nextcloud and groupware server using the following components

  • Master / Master LDAP for user/auth
  • Postfix mail server
  • HA Dovecot setup.
  • z-push server for activesync connectivity
  • Nextcloud server

I am setting this all up using ansible, so when it is all done i will upload my roles and playbooks to GitHub so others can enjoy the work :slight_smile:

This is all working like a charm in a small test environment but for security reasons I’m thinking of enabling OTP. This however gives me the following problem:

For syncing the nextcloud contacts and agenda you need to create an app password (of course). The mail however ( in dovecot) needs the normal LDAP password. This breaks z-push, and is confusing for users.

Now I know Dovecot is very flexible when in comes to authentication, you can use multiple password backends. So i can make Dovecot also use a password file or an SQL query for password lookup.

Does someone can tell me if it is possible to use a nextcloud generated app-password for this? As far as i can see the app password itself is not stored anywhere in the database ( also, not in an usable encrypted way). Or maybe i am not looking good enough? :slight_smile:

Or maybe someone has a whole better idea.

@ChristophWurst do you have an idea?

Sounds really interesting, looking forward to see your playbooks published! :slightly_smiling_face:

I think app passwords are “one-off” and users (clients) ought to take care of storing them. I wonder how the desktop client stores it’s app password. As it happens I’m just investigating how to store it in a practical yet secure way but have not found a solution so far.

Hi,

I was to busy with other projects but i have published the playbook(s) on github here: https://github.com/j-insan3/ansible-nextcloud-groupware

Maybe some options are missing at this moment, also it only works on centos 7. But what is there is all working :stuck_out_tongue: