diff --git a/openldap-nss-reregister-nss-shutdown-callback.patch b/openldap-nss-reregister-nss-shutdown-callback.patch
new file mode 100644
index 0000000..03b8611
--- /dev/null
+++ b/openldap-nss-reregister-nss-shutdown-callback.patch
@@ -0,0 +1,50 @@
+NSS: re-register NSS_Shutdown callback
+
+Original upstream comment:
+"""
+When there's a persistent daemon for auth and it sets LDAP_OPT_X_TLS_NEWCTX, it
+fails to auth at third login.
+
+1. everything is good and destroyed after use but
+tlsm_register_shutdown_callonce.initialized=1.
+2. still good but because tlsm_register_shutdown_callonce.initialized==1, it
+fails to register shutdown function.
+   so pem_module is not destroyed at the end.
+3. pem_module is not NULL so it's not initialized again and not added to modules
+list. And Login fails.
+"""
+
+Sent-By: soohoon.lee@f5.com
+Original-Name: soohoon-lee-160823.patch
+Upstream-ITS: 8484
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index cdf7f8e..cf05914 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -1145,6 +1145,8 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
+ 	return ret;
+ }
+ 
++static PRCallOnceType tlsm_register_shutdown_callonce = {0,0};
++
+ static SECStatus
+ tlsm_nss_shutdown_cb( void *appData, void *nssData )
+ {
+@@ -1157,10 +1159,15 @@ tlsm_nss_shutdown_cb( void *appData, void *nssData )
+ 		SECMOD_DestroyModule( pem_module );
+ 		pem_module = NULL;
+ 	}
++
++	/* init callonce so it can be armed again for cases like persistent daemon with LDAP_OPT_X_TLS_NEWCTX */
++	tlsm_register_shutdown_callonce.initialized = 0;
++	tlsm_register_shutdown_callonce.inProgress = 0;
++	tlsm_register_shutdown_callonce.status = 0;
++
+ 	return rc;
+ }
+ 
+-static PRCallOnceType tlsm_register_shutdown_callonce = {0,0};
+ static PRStatus PR_CALLBACK
+ tlsm_register_nss_shutdown_cb( void )
+ {
diff --git a/openldap.spec b/openldap.spec
index 2635fbd..22e7881 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -5,7 +5,7 @@
 
 Name: openldap
 Version: 2.4.45
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@@ -34,6 +34,7 @@ Patch14: openldap-nss-ignore-certdb-type-prefix.patch
 Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch
 Patch16: openldap-nss-pk11-freeslot.patch
 Patch17: openldap-allop-overlay.patch
+Patch18: openldap-nss-reregister-nss-shutdown-callback.patch
 
 # fix back_perl problems with lt_dlopen()
 # might cause crashes because of symbol collisions
@@ -146,6 +147,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1
 %patch19 -p1
 %patch20 -p1
 %patch22 -p1
@@ -546,6 +548,9 @@ exit 0
 %{_mandir}/man3/*
 
 %changelog
+* Tue Dec  5 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-2
+- fix: openldap does not re-register nss shutdown callbacks after nss_Shutdown is called (#1520990)
+
 * Fri Jul  7 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-1
 - Rebase to version 2.4.45 (#1458081)
   * fixes CVE-2017-9287 (#1456712, #1456713)