The problem with the two password requests can be solved by adding 'use_first_pass' to the line with pam_unix.so, such that it looks like
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
However, this does not solve the problem when the LDAP connection is encrypted and the certificate can only be read by root. Also in Hardy gnome-screensaver does not seem to communicate with the NSCD, but tries to call the LDAP server directly.
I still don't get why the workaround setting gnome-screensaver-dialog SUID doesn't work anymore. In that case pam_ldap should run with root rights. Has anyone more insight on the authentication mechanism? Maybe gnome-screensaver-dialog calls another program to do the actual verification in newer versions...
The problem with the two password requests can be solved by adding 'use_first_pass' to the line with pam_unix.so, such that it looks like
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
However, this does not solve the problem when the LDAP connection is encrypted and the certificate can only be read by root. Also in Hardy gnome-screensaver does not seem to communicate with the NSCD, but tries to call the LDAP server directly.
I still don't get why the workaround setting gnome-screensav er-dialog SUID doesn't work anymore. In that case pam_ldap should run with root rights. Has anyone more insight on the authentication mechanism? Maybe gnome-screensav er-dialog calls another program to do the actual verification in newer versions...