Hello,
looking for a way to implement alternative passwords for a given object (i.e. account information). The tricky part, such passwords should not be usable in every application but e.g. for mail access only, not for interactive login. Such a feature can be seen in the nextcloud application where such "app passwords" may be unusable for accessing files while the calendar can still be read and written. The idea behind this is obviously being able to store such a password on a mobile device that might got stolen or lost otherwise - without compromising all other services the account credentials are be valid for. The global (or default) password should still be usable in any place - although users should avoid that.
The "restriction to an application" logic could possibly be implemented using an attribute I'd call "capability", but I have no clue how to handle the passwords.
Findings so far: It is possible to store more than one userPassword in an account object, but now I cannot see how to tell apart which of the ones was used for successful binding, and I reckon this is not possible at all in a sane way.
Enhancing the schema I might store the the extra password/capabilities combos in separate objects. But this creates the question how to deal with applications that don't allow to enter the entire request string.
Another idea I could think of was to have separate objects ("cn=john.doe", "cn=john.doe+login") - but I consider that ugly.
Other ideas? Or even solutions that already exist?
Christoph