diff --git a/CHANGES b/CHANGES
index 702377be1..83af1e2fb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1852,4 +1852,5 @@
 
 [5.0.6]
 * Make mail eventlog only visible to owners
+* Make app password work with sftp
 
diff --git a/src/ldap.js b/src/ldap.js
index 426f0fed1..1365f1c1f 100644
--- a/src/ldap.js
+++ b/src/ldap.js
@@ -534,13 +534,16 @@ function authenticateSftp(req, res, next) {
     var parts = email.split('@');
     if (parts.length !== 2) return next(new ldap.NoSuchObjectError(req.dn.toString()));
 
-    // actual user bind
-    users.verifyWithUsername(parts[0], req.credentials, users.AP_SFTP, function (error) {
+    apps.getByFqdn(parts[1], function (error, app) {
         if (error) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
 
-        debug('sftp auth: success');
+        users.verifyWithUsername(parts[0], req.credentials, app.id, function (error) {
+            if (error) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
 
-        res.end();
+            debug('sftp auth: success');
+
+            res.end();
+        });
     });
 }
 
diff --git a/src/users.js b/src/users.js
index aaaf185b1..6e88a8b1b 100644
--- a/src/users.js
+++ b/src/users.js
@@ -31,7 +31,6 @@ exports = module.exports = {
     count: count,
 
     AP_MAIL: 'mail',
-    AP_SFTP: 'sftp',
     AP_WEBADMIN: 'webadmin',
 
     ROLE_ADMIN: 'admin',