Comment 3 for bug 1452087

there was an apparmor message logged:

May 6 22:52:05 server kernel: audit: type=1400 audit(1430967118.381:12): apparmor="DENIED" operation="mkdir" profile="/usr/sbin/slapd" name="/run/nslcd/" pid=1419 comm="slapd" requested_mask="c" denied_mask="c" fsuid=108 ouid=108

adding to /etc/apparmor.d/local/usr.sbin.slapd [among some other things]:

  /etc/ldap/pki/** rw,
  /{,var/}run/slapd/* rw,
  /{,var/}run/nslcd/ rw,
  /{,var/}run/nslcd/* rw,

seems to have addressed that, but the directory still isn't created.

temporarily changing /run/ to 777 seem to reinforce rtandy's reference. the directory is then created, but not with adequate permissions:

dr-xr-xr-x 2 openldap openldap 40 May 6 23:01 nslcd/

slapd[2357]: nssov: bind() to /var/run/nslcd/socket failed: Permission denied

adjusting them manually after creation confirms this, and slapd then starts.

at the moment, i've added the following to the init script:

NSSOV_SOCKETDIR='/var/run/nslcd'

start_slapd() {
    [ -d "${NSSOV_SOCKETDIR}" ] || ( mkdir -m 755 "${NSSOV_SOCKETDIR}" ; \
        chown openldap.openldap "${NSSOV_SOCKETDIR}" )

which solves the problem for me [albeit the wrong way, imo], since it's blindly doing it regardless of if the overlay is actually in use.