Comment 2 for bug 1452087

IIRC slapd does try to create the directory, but it's already switched users by that point, so doesn't have sufficient privileges.

http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/openldap/vivid/view/head:/contrib/slapd-modules/nssov/nssov.c#L808

I don't know whether the overlay has a way to run code before switching permissions. Might be worth filing an ITS about, as this really should work. Otherwise, the init script is probably the most reasonable place to do it; but only if nssov is actually being used.

(apparmor may also be involved as pmatulis suggests. I didn't check.)