Implementing additional passwords with limited scope / "app passwords"

[Christoph Biedl <openldap.jywu@manchmal.in-ulm.de>]

Hello,

looking for a way to implement alternative passwords for a given object
(i.e. account information). The tricky part, such passwords should not
be usable in every application but e.g. for mail access only, not for
interactive login. Such a feature can be seen in the nextcloud
application where such "app passwords" may be unusable for accessing
files while the calendar can still be read and written. The idea behind
this is obviously being able to store such a password on a mobile
device that might got stolen or lost otherwise - without compromising
all other services the account credentials are be valid for. The global
(or default) password should still be usable in any place - although
users should avoid that.

The "restriction to an application" logic could possibly be implemented
using an attribute I'd call "capability", but I have no clue how to
handle the passwords.

Findings so far: It is possible to store more than one userPassword in
an account object, but now I cannot see how to tell apart which of the
ones was used for successful binding, and I reckon this is not possible
at all in a sane way.

Enhancing the schema I might store the the extra password/capabilities
combos in separate objects. But this creates the question how to deal
with applications that don't allow to enter the entire request string.

Another idea I could think of was to have separate objects
("cn=john.doe", "cn=john.doe+login") - but I consider that ugly.

Other ideas? Or even solutions that already exist?

    Christoph