Comment 30 for bug 64301

The point is that the certificate key should *never* be world readable for security reasons. Otherwise you might as well not use encryption at all as any user on your system can access it. That's the whole reason for the nscl/nslcd concept. Better use the solution I posted above.

Some explanations for those who are interested (they might not be accurate as I'm not aware of how things are implemented, but they make sense to me):

The PAM modules are configured as dynamically linkable libraries. Since your gnome-screensaver runs with your own user rights, all libraries linked into it run with user rights as well. So when gnome-screensaver tries to connect to the LDAP server via PAM it cannot read the certificate key and fails to connect resulting in a rejected password.

One solution would be to allow all users to read the key, but that's a giant security hole as mentioned above. Another solution would be to set the SUID bit of the gneome-screensaver dialog so it runs with root rights no matter which user started it (doesn't work anymore for some time, my guess is that the program checks if it runs with root rights and fails to prevent users gaining root rights using buffer overflows or other bugs in the program). This worked for the KDE screensaver though.

That's the reason why the nscd was so important with the old systems. Instead of invoking the PAM modules directly most programs would do authentication via nscd which runs as root and thus can connect to the LDAP server. However, gnome-screensaver never did :(

The new packages introduce nslcd which does not need to be addressed by gnome-screensaver as the PAM modules communicate with it automatically. It also doesn't run with root rights unless explicitly set (which is not necessary), but sufficient rights to read the key file. Therfore it allows to keep the certificate key closed without the risk of someone abusing it to gain root rights.