SOLVED in Ubuntu Lucid: use 'libnss-ldapd' and 'libpam-ldapd' (note the 'd' at the end of the packages) together with with the 'nslcd' package (note the 'l' in the middle)
This allows to set the user and group with which the 'nslcd' daemon runs in '/etc/nslcd.conf'. I set the group from 'nslcd' to 'ssl-cert' and made sure that the key file can be read for that group.
my '/etc/nslcd.conf' reads as follows:
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
# The location at which the LDAP server(s) should be reachable.
uri ldap://<put server address here>
# The search base that will be used for all queries.
base <put LDAP base here>
# The LDAP protocol version to use.
# SSL options